Malvertising in stealing Google search results
In recent months, we have observed an increase in the number of malicious campaigns that use Google Advertising as a malware distribution and delivery tool. At least two different thieves, Rhadamanthys and RedLine, abused the search engine promotion scheme to send malicious payloads to victims’ machines. They seem to use the same technique to emulate a website associated with well known software like Notepad++ and Blender 3D.
Authorized actors make copies of legitimate software websites while using typos (using misspelled popular brands and company names as URLs) or composite sorting (combining popular brands and company names with random words as URLs) to make the sites look real. end user—domain names refer to the original software or vendor. The design and content of fake web pages look the same as the original pages. Threat actors then pay to promote the website to push it to the top search results in the search engine. The technique is called “malicious advertising.”
In the snapshots below, we can see Google ads promoting fake pages for AMD drivers and Blender 3D software. If we take a closer look at the URLs, we see that the domains contain the software name, but have nothing to do with actual AMD or Blender 3D vendors. In many cases, top-level domains are also different from those of official sites. Using less common TLDs allows threat actors to register second-level domains similar to real ones. These domains attract victims to click on the link and access the fake website more often than random domains registered in a more common domain zone, such as COM, because they may appear more like a legitimate website.
Fake AMD and Blender 3D websites in search results
We visited some of the promoted sites and obtained the malicious payloads they were distributing. In this article, we will mainly focus on “Blender 3D” fake websites.
Fake Blender 3D web pages
The size of the downloaded file (ZIP archive) is 269 MB, which is close to the original Blender installer size. The 257MB size specified on the fake webpage matches that of the original Blender 3D installer, but not the size of the fake download.
When the user clicks the “Download” button, the archive blender-3.4.1-windows-x64.zip (E0BDF36E4A7CF1B332DC42FD8914BA8B) is downloaded.
The size of the extracted file (BBA8AA93FCDDA5AC7663E90C0EEFA2E7) is 657 MB. When launched, it leaves two files in the temporary directory:
- Original Blender 3D MSI installer, again 657 MB in size (marked in green in the screenshot below);
- A PE file that acts as the next stage installer for a malicious PE file that has the same size as the original installer (marked in red): 657 MB.
Dropped files: original Blender 3D MSI installer and malicious installer
The malicious installer dropped is so large in size because when the PE file is created it is bloated with junk bytes. The uninspired malicious installer size is about 330 KB and the rest is insignificant.
Junk bytes bloating the loader
After the initial installer (unarchived) drops these two files, it runs the malicious PE file using the CMD method (cmd.exe /c). [Filename] command) to hide it from the user. Additionally, the initial installer also runs the original Blender 3D MSI to convince the victim that the requested software is running.
Therefore, threat actors hide their malicious payload through the installation of another software product by creating a “bootloader” for legitimate software that will install both the malware and the original requested software on the victim’s machine.
Blender 3D loader launched by “front loader”
The screenshot above shows the actual software installer running, but if we take a closer look at the processes, we will notice a short-lived subprocess (cmd.exe /c -> “SetupFileProgram”) executed by the “bootloader”. ”. This short-lived process is the installer of the malware.
The installer is a .NET file protected by an unregistered version of .NET Reactor. It seems to use an anti-debug technique to prevent a debugger from running and dynamically analyzing the binary. In summary, the installer runs a new powershell.exe process and manipulates it to execute multiple PowerShell commands instructing it to access a third-party URL to get the payload. The payload is a base64-encoded, AES-encrypted, fileless binary. Other commands are about decoding and decrypting this binary, then running it in a newly created memory. aspnet_compiler.exe The process is a legit Windows .NET framework build tool.
In this case, we observed two detection evasion tricks during the study period:
- Fileless technique that involves taking a payload from an online source and loading it directly into a process’s memory;
- In this case, LOLBAS (land-dwelling binaries and scripts), which is the use of a .NET build tool to run the malicious binary.
Below we provide a more detailed analysis of the loader execution chain. After the Loader gets past the anti-debugger, we can see it launches a PowerShell process, so we’ll put a breakpoint on the CreateProcessW WinAPI call to observe the behavior.
Call CreateProcessW to create a PowerShell process
Since we didn’t see any command passing to the PowerShell process when starting it with the CreateProcessW call, we can conclude that it will pass at some point later, so we can observe the passage of PowerShell commands by setting a breakpoint. In the WinAPI WriteFile to see the command lines of the powershell.exe process.
So, after we let it run and hit the breakpoint, we will check the result on the return of the function call and we can see that there is the first command in the stack pushed to the powershell.exe process. #Start Asleep -seconds 30;.
Observing pushed commands
We can try checking the memory partition where the command is stored and looking for other commands kept in memory for later use by the loader.
Memory address of sent PowerShell commands
After we get all the data in this memory partition, we will see all the commands passed to the powershell.exe process via the WriteFile WinAPI call.
If we read the commands, we can see what exactly the powershell.exe process is about to do. The commands tell it to perform the following actions:
- Download the string data that is part of the following URL, namely the name of the file: http[:]//45.93.201[.]114/documents/[RandomChars].txt. The downloaded data is a Base64 encoded string whose code is converted to encrypted data.
- Prepare the decryption method AES-CBC as can be seen in the screenshot above. We can also easily see and decode the Base64 encoded key and IV (initialization vector) used for decryption in the PowerShell command.
- Decrypt the data to a Gzip compressed binary file.
- Open the binary file.
- Call the binary to run it.
The binary we obtained is a dropper of known malware. RedLine thief. The thief’s version at hand uses an interesting technique to disguise its malicious payload: it’s encoded in the key and IV bytes for AES decryption, along with the most unimportant image bit stored in the dropper’s source partition.
Embedded images containing a malicious payload
Payload decryption routine
After decrypting the payload, it initiates a legal action called “dropper”.aspnet_compiler.exe”It is part of the Microsoft .NET framework and injects the payload into it.
Injecting a load routine
Attackers register deceptive domain names like blender3d-software to distribute fake pages.[.]net or blender3d software[.]organ. We found over fifty similar domains hosted on the same IP address: 91,229.23[.]200. These domains also emulate other software distribution sites, for example, afterburner-software[.]org, tradingviews software[.]org and unity download[.]com.
Malicious payload may be stored on the same site (e.g. hxxps[://]blahder3dsoft[.]store/Blender[.]rar) in a public service that can be used as a landing page or as a file hosting service (MediaFire or GitHub).
We are seeing an increase in the spread of malware families through Google Ads campaigns, particularly search ads. Threat actors use fake websites to impersonate legitimate software vendor websites to lure victims and pay for advertisements promoting them. They use typo and combo login, which have become common techniques in recent months for malicious website domains. In some cases, such as those described in this article, threat actors make sure they install the requested software alongside their malicious payload.
In recent campaigns, we have observed mainly thief-type malware like RedLine or the notorious Rhadamanthys, which is also known to use malvertising techniques to reach victims and steal data from their compromised machines.
This type of distribution means that threat actors are targeting both individual and corporate victims around the world.