Kroll has observed threat actors abusing Google Ads to deploy malware that masquerades as legitimate downloads or software that has been “cracked” or modified to remove or disable features such as copy protection or adware. As part of our analysis of this trend and threat, we have specifically identified that the VIDAR malware, an information-stealing Trojan, uses Google Ads to advertise spoofed domains and redirect users to fraudulent sites or malware downloads. Kroll is currently tracking the use of this tactic by ransomware groups around the world, particularly groups that are assessed with medium confidence to be associated with former Conti ransomware affiliates, such as Royal ransomware operators. , Black Basta and Hive. While the infection vector is the same, Zloader is typically used to deploy more malicious tools to gain a foothold within the network during the intrusion lifecycle.
As an example of Kroll’s findings and analysis of this trend, we discovered a particular Google ad that, while displaying the legitimate domain of the open source image-editing product GIMP, ultimately redirected the user to a faulty domain. fonts, hosting a cloned website that contained malicious content. downloads This is particularly interesting as the ad format is controlled through the Google ad framework. Google extracts the display domain highlighted below from the destination URL provided by the advertiser.
Figure 1: Screenshot of the malicious ad (Source: Kroll)
Figure 2: Screenshot of the Typo-Squatted domain (Source: Kroll)
The gilimp malicious domain[.]org appears to have been posted on October 17, 2022, indicating that this ad could have been active for up to 16 days at the time of our analysis.
Figure 3: Whois record for domain with typo (Source: Kroll)
At the time of research, the ad (“ad”) was no longer accessible, and screenshots available online no longer displayed the ad’s destination URL when hovering over to view the first step in the request string, making it more difficult for Kroll to definitively determine exactly how the threat actor accomplished this.
Kroll analyzed a binary on the malicious domain that was submitted to appear to be the GIMP software. The analysis showed that it was, in fact, VIDAR malware. Our experts were able to determine that the malware was stealing browser cookies and passwords, along with detailed system information, before sending them to a C2 IP address.
The IP information for this IP address shows its geolocation as Saint Petersburg in the Russian Federation.
Figure 4: C2 IP Address Information (Source: Kroll)
The Kroll Cyber Threat Intelligence team tested a number of theories leveraging Google’s ad workflow on how “malvertising” could lead to the deployment of the VIDAR Stealer. Kroll confidently proposed the following two most likely scenarios based on the research completed to date:
This attack method is documented by others within the Security and Incident Response communities and appears to be a favored hypothesis shared by many, including Kroll researchers.
Figure 5: Screenshot showing Google Ads homoglyph attack setup (Source: Kroll)
As detailed in Figure 5, Kroll’s threat intelligence team could set up an ad using an international domain name that would pass initial domain inspection by the majority of viewers. If a homoglyph attack was used, it’s an exceptionally effective approach with no obviously misplaced characters.
Figure 6: Magnified view of the ad (Source: Kroll)
Kroll noted that the last page the link was taken to was not an international domain, but a second, different typo-squatting domain. This inconsistency makes this method seem less likely as the threat actor would need to link to 2 domains via a redirect chain.
However, there is a possibility that the threat author did this to protect their homoglyph domain or was aware that some web browsers will display the domain name in ascii format in the address bar (for example: xn- -gmp2ub[.]org instead of gimp[.]org), making the website appear more suspicious. Kroll’s testing of this process also identified Google’s automated domain verification processes that would normally thwart a threat actor’s use of this methodology.
Google Ads allows the use of a tracking link that would also be the first connecting link, to store various parameters for your ad campaign before forwarding to the landing page. With this tracking link established, the display domain remains the domain of the destination URL.
Figure 7: Screenshot showing the setup of a cross-domain tracking template in Google Ads (Source: Kroll)
It is possible that by using a malicious tracking link, a threat actor could set up an ad for the legitimate gimp.org and redirect to their malicious page instead of the real page. This is currently the method that Kroll evaluates and has been exploited by Threat Actors in previous intrusion lifecycles.
Kroll tested this methodology using a malicious tracking template hosted on a separate domain and successfully redirected an ad click to a third domain, the video of which can be viewed here. The setup used the process described in the official Google documentation for cross-domain redirects.
Figure 8: Screenshot of active ads setup using the cross-domain tracking template (Source: Kroll)
By using a custom PHP script on the tracking domain, we were able to redirect traffic to a proof-of-concept domain instead of the legitimate website. Google performs some automatic checks to detect bad redirects; however, this was circumvented with minimal effort. This automated verification is likely designed to detect errors rather than this specific methodology.
Our team also explored a number of less likely scenarios:
To date, our team has not been able to produce a combination of settings in the Google Ads interface that would allow a display domain that is different from the target domain.
The Google Ads system pulls the domain you’re displaying in the ad from the Final URL field. If an open redirect were present on the gimp.org website and used as the final URL, “gimp.org” would be displayed. It is not possible to test whether Google Ads would detect this without an open redirect vulnerability present to use in the test.
Figure 9: Screenshot showing a hypothetical setup for an open redirect attack (Source: Kroll)
For this to work, there would have to be an open redirect vulnerability on the gimp.org website; Also, it would be necessary to bypass the aforementioned redirect validation checks performed by Google.
It is conceivable that an error in the validation of the inputs has allowed the manipulation of the ad and the destination domain. Our team tested numerous strategies to see what would hold up as controlled trials. All tests were captured by server side validation. However, they managed to change the display of the preview ad so that it did not reflect the destination domain.
Figure 10 – Screenshot showing an attempt to manipulate the URL so that it displays incorrectly (Source: Kroll)
As mentioned above, Google has an ad review process. Changes to the ad, including changing the domain or tracking link, will take the ad offline and require further review.
Now that this attack has been documented on multiple websites, it is highly likely that other actors will try this technique because it can turn any website into a watering hole attack, conveniently putting your malicious website at the top of Google search results. .
While it is particularly dangerous for sites that offer software for download, it could easily be extended for other purposes. For example, a clone of a legitimate domain login page could be hosted for credential harvesting.
Learn more about Kroll’s comprehensive cyber security services or call our cyber incident response hotline for immediate assistance.