Hackers have increased their abuse of the Google Ads platform to target users searching for popular software products.
Among the software products being impersonated include Grammarly, Slack, Dashlane, Audacity, ITorrent, AnyDesk, Libre Office, Teamviewer, Thunderbird, and more, reports Bleeping Computer.
“The threat actors clone official websites of the above projects and distribute trojanised versions of the software when users click the download button,” the report mentioned.
The Google Ads platform helps advertisers promote pages on Google Search.
Users looking for original software products on a browser without an active ad blocker are likely to click on malicious links “because it looks very similar to the actual search result”.
“The moment those ‘disguised’ sites are being visited by targeted visitors, the server immediately redirects them to the rogue site and from there to the malicious payload,” explained Guardio Labs.
Those rogue sites are practically invisible to visitors.
If Google detects that the landing site is malicious, the campaign is blocked and the ads are removed.
The malware payload, which comes in ZIP or MSI form, is downloaded from reputable file-sharing and code-hosting services such as GitHub, Dropbox, or Discord’s CDN.
“This ensures that any anti-virus programmes running on the victim’s machine won’t object to the download,” the report mentioned.
Guardio Labs recently observed a campaign where the threat actor lured users with a trojanised version of Grammarly. The malware was bundled with the legitimate software.