Rewterz Threat Alert – New Malvertising Campaign MasquerAds Abuses Google Ads – Active IOCs

Severity

High

Analysis Summary

Researchers discovered a malvertising campaign that uses Google Ads to target users searching for popular software. The campaign is tracked as MasquerAds and is attributed to a threat actor under the name Vermux. The campaign’s goal is to distribute tainted versions of popular software that install malicious payloads on the user’s machines, such as information-stealing malware like Raccoon Stealer and Vidar.

By hijacking searches for specified keywords, the activity makes use of supposedly trustworthy websites with typosquatted domain names that are displayed on top of Google search results in the form of malicious adverts.

The attacker utilized a series of benign sites to mislead users into clicking on them and then redirecting them to rogue sites.

“The moment those “disguised” sites are being visited by targeted visitors (those who actually click on the promoted search result) the server immediately redirects them to the rogue site and from there to the malicious payload — usually also hiding inside reputable file sharing and code hosting servers like GitHub, dropbox, discord’s CDN, etc” researcher stated.

AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, and Zoom are among the impersonated software used in the campaign.

Threat actors behind this campaign put a significant effort into the malicious payload used in the campaign, such as using stealers that can bypass defense solutions.

‘Even for Virus-Total, it took many days after our submission to acquire more than a few handful detections,’ says the researcher.

The Vermux operation has deployed hundreds of domains and servers located mostly in Russia, while the rogue advertising mostly targeted users in the United States and Canada.

“masquerAd” concept is simple yet does exactly what those actors need — abuse the trust we sometimes blindly give to Google and their promoted search results. Adding to the above, the abuse of reputable file-sharing services as well as well-known software brands make them evade even the most advanced EDRs on the market.”

The report concludes, Don’t be misled by misspelling domain names, and always double-check where you obtain your files from.

Impact

• Information Theft
• SEO Poisoning
• Malware Distribution In Legit Software

Indicators of Compromise

Domain Name

• msiburnberafter.online
• gfrce.nioiviidlia.site
• frce.nvilldia.site
• pierrelanscapes.com

MD5

• 1e0914c42753434cb0c6845c642dc7ea
• 380cd2edc6461ee4c3fe00bcf7c4fb1b

SHA-256

• 06556a278570098462fc52592e27e3ae1a6dfd279d4b737b8534f932a89beca9
• a34eae42892af65277165e6120c3fd24862a018f24b982d88762c46158785374

SHA-1

• 9009e7325736cf4a669ad3c5a10311af974d5ad7
• dbe4140d2d6dad20aef7dcb00dfdfcc64bb21251

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Keep Systems Up to Date and Patch Regularly
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enforced Access Management Policies
• Prohibit password sharing
• Restrict installation of untrusted 3rd Party application
• Do not use the same password for multiple platforms, servers, or networks.