Executive Summary
One of the most important tasks for an attacker using malware to successfully compromise a target, is how they plan to get the malware onto the device. Achieving this can be done in many ways, but one that has become increasingly popular is the use of google ads to trick victims into downloading malware in place of software that the victim is searching for.
Use of advertisements to spread malicious download links is a long-standing method of spreading, however over the past year an increase in the use of Google’s own sponsored links for malicious purposes has been seen. This is especially insidious as these appear as normal results on google only distinguished by the term ad appearing before their URL. This might lead less aware victims, or simply those that are not fully on-guard to give a false layer of confidence that the found software is legitimate.
Recently a group currently referred to as ‘DEV-0569‘ have been spreading large amounts of malware utilising this method. In 2022 this included spreading false versions of well-used programs with an included piece of malware called ‘Bat Loader’. This grants the attackers control of the victims PC and gives them free reign to deliver further payloads to steal, harvest and destroy any data that they wish. This threat actor has also been seen utilising different tools recently such as RedLine and Cobalt Strike using the same method of infiltration.
This organisation is thought to be an example of an ‘Initial-access broker’ – A threat actor that sells their service of breaking into computers for other malware gangs to use. Proof of this activity was seen when they were found distributing Royal Ransomware.
The group behind Royal ransomware operate this as a ‘standard’ ransomware operation, meaning that they do not contract out usage of their tools to others as a ransomware-as-a-service organisation would, based on this it can be seen that here the Royal gang were the customers, whereas DEV-0569 were providing the service in the form of the initial infection.
The success of this group and others that have utilised these methods means that sponsored links from google are likely to be unsafe until a good solution for preventing these attacks is found or implemented. It is easy to see how someone would fall for this particular kind of attack, as usually the proper usage of google is to simply use the topmost link in the results.
In these cases, people would click on what they assume is the most relevant and therefore correct link and are then brought to a convincing replica of the page’s download section. Due to this many would assume that they have clicked the correct result and that the provided software will be legitimate as a result. This combines the effectiveness of a stolen or replicated webpage as seen in attacks such as email phishing but utilises the unique method of entry, being that the victim entered this site in the same way they would any other legitimate page, to make an incredibly convincing trap that many tech-savvy users would fall victim to if not paying attention.
How can people protect themselves from this?
When using google always be aware that a malicious actor using sponsored links or SEO trickery may be what google mistakenly identifies as the most relevant result, so rather than taking the high position in the results as an indorsement from google, be aware that these are produced automatically rather than curated.
In order to ensure that you do not fall victim to this type of attack it is important to check the link that you are clicking on when searching for software, as an attacker will not be able to use a legitimate domain.
Keep in mind that just because the source of site is from an official source does not mean that it is trusted, there are plenty of malicious destinations on google, many malicious repositories on GitHub, and many pieces of malware hosted on legitimate services. A small amount of vigilance will be enough to recognize that a result on google is an ad, and checking the URL of any links that you wish to visit is a small amount of effort that can easily prevent disaster.
Overall, this represents a worrying development as this is an easy mistake to make, and now this easy mistake has dire consequences. However, like many other vectors of attack, a small amount of caution whilst browsing the web can easily overcome the threat it may pose.
Sources:
https://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera
https://www.infosecurity-magazine.com/news/dev0569-expands-toolkit-royal/