One of the most effective ways to broadcast a message, is by advertising it.
And thanks to the internet, paying a relatively insignificant amount of money can allow anyone to spread their words to every corners of the web, to places as far as where the internet reaches. Hackers know this, and this is why they're utilizing Google Ads to promote their malicious cause.
Details have emerged about a malvertising campaign that target people who search for popular software, and trick them into landing on a malicious landing page in order to distribute malware to those unfortunate, unsuspecting people.
Malwarebytes, which discovered the activity, reported that it's "unique in its way to fingerprint users and distribute time sensitive payloads."
For starters, the cybersecurity company said that hackers were targeting people who searched for Notepad++ and PDF converters on Google.
The hackers carried out their attacks by using Google Ads to show their malvertising on top of generic search results, and serve those people decoy websites.
The websites in question look extremely similar to the legitimate websites.
But should they download the intended software on those sites, they're literally downloading a malware to their computer.
In order to make their campaign highly effective, the rogue website also silently fingerprints victims' system to determine if the request is originating from a virtual machine, and if potential victims failed the check will be taken to the legitimate websites.
But those who failed for the trick, will be given a unique ID for "tracking purposes but also to make each download unique and time sensitive."
After downloading the installing the intended software, the final stage of the attack is an HTA payload that establishes a connection to a remote domain on a custom port and serves follow-on malware.
"Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims," said Jérôme Segura, a Sr. Director of Threat Intelligence at Malwarebytes.
"With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads."
The finding overlaps with a similar campaign that targets people who searched for the popular KeePass password manager.
Threat actors were found utilizing Google Ads to spread their malvertising directly to potential targets. But what they did, was directing victims to a domain using Punycode ķeepass[.]info.
While this domain looks the same as the legitimate keepass[.]info, it uses a special encoding used to convert Unicode characters to ASCII. Upon closer look, the change is visible on the letter "K," where a tiny dot is faintly seen.
To most people who tend to sift while reading, this tiny 'defect' is literally invisible.
The tiny dot at the bottom of the letter can be mistakenly considered as a dust on a smartphone or a computer screen, and remained unnoticed.
"People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim," Segura noted. "The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destination."
This makes the malvertising an effective one, that it even tricked Google.
It's worth noting that hackers abusing the Punycode is not new.
What is indeed new, is that the hackers are combining the method with Google Ads, in order to create a rogue that spreads via search engine. This makes this kind of attack more sophisticated.
By employing Punycode to register similar domain names as a legitimate site, the goal is to pull off a homograph attack and lure victims into installing malware.
"While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising," Segura said.