www.malwarebytes.com
Open in
urlscan Pro
192.0.66.233
Public Scan
Submitted URL: https://www.malwarebytes.com/blog/cybercrime/2024/10/large-scale-google-ads-campaign-targets-utility-software
Effective URL: https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software
Submission Tags: @nominet_threat_intel rnt-string-1st reference_article_link confidence_medium cluster_77716546 Search All
Submission: On October 08 via api from GB — Scanned from GB
Effective URL: https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software
Submission Tags: @nominet_threat_intel rnt-string-1st reference_article_link confidence_medium cluster_77716546 Search All
Submission: On October 08 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Type to search..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>GET https://www.malwarebytes.com/blog/
<form role="search" method="get" class="search-form" action="https://www.malwarebytes.com/blog/">
<div class="labs-sub-nav__searchbar-wrap">
<input class="labs-sub-nav__search-input" type="text" name="s" placeholder="Search Labs">
<button class="labs-sub-nav__search-button" id="cta-labs-rightrail-search-submit-en" aria-label="Search in Malwarebytes">
<svg xmlns="http://www.w3.org/2000/svg" width="35px" height="35px" viewBox="0 0 24 24" fill="none">
<g clip-path="url(#clip0_15_152)">
<rect width="24" height="24" fill="none"></rect>
<circle cx="10.5" cy="10.5" r="6.5" stroke="#0d3ecc" stroke-linejoin="round"></circle>
<path d="M19.6464 20.3536C19.8417 20.5488 20.1583 20.5488 20.3536 20.3536C20.5488 20.1583 20.5488 19.8417 20.3536 19.6464L19.6464 20.3536ZM20.3536 19.6464L15.3536 14.6464L14.6464 15.3536L19.6464 20.3536L20.3536 19.6464Z" fill="#0d3ecc">
</path>
</g>
<defs>
<clipPath id="clip0_15_152">
<rect width="24" height="24" fill="#0d3ecc"></rect>
</clipPath>
</defs>
</svg>
</button>
</div>
</form>https://www.malwarebytes.com/newsletter/
<form action="https://www.malwarebytes.com/newsletter/" class="newsletter-form">
<div class="newsletter-form__inline">
<label>Email Address</label>
<input type="email" name="email" id="cta-footer-newsletter-input-email-en" placeholder="Email Address" required="" class="newsletter-form__email">
<input type="hidden" class="newsletter-form__pageurl" value="https://www.malwarebytes.com/blog/news/2024/10/large-scale-google-ads-campaign-targets-utility-software">
<input name="source" type="hidden" value="">
<input type="submit" value="Sign Up" class="newsletter-form__btn" id="cta-footer-newsletter-subscribe-email-en">
</div>
<div class="newsletter-form__validate hidden">
<span></span>
</div>
</form>Text Content
Skip to content
Search
Search Malwarebytes.com
Search for:
* Sign In
* Personal
< Personal
Products
* Malwarebytes Premium Security >
* Malwarebytes Privacy VPN >
* Malwarebytes Identity Theft Protection >
* Personal Data Remover >
* Malwarebytes Browser Guard >
* Malwarebytes for Teams/small offices >
* AdwCleaner for Windows >
--------------------------------------------------------------------------------
Find the right product
See our plans
Infected already?
Clean your device now
Solutions
* Free antivirus >
* Free virus scan & removal >
* Windows antivirus >
* Mac antivirus >
* Android antivirus >
* iOS security >
* Digital Footprint Scan >
See personal pricing
Manage your subscription
Visit our support page
* Business
< Business
BUNDLES
* ThreatDown Bundles
* Protect your endpoints with powerfully simple and cost-effective bundles
* Education Bundles
* Secure your students and institution against cyberattacks
TECHNOLOGY HIGHLIGHTS
* Managed Detection & Response (MDR)
* Deploy fully-managed threat monitoring, investigation, and remediation
* Endpoint Detection & Response (EDR)
* Prevent more attacks with security that catches what others miss
* Explore our portfolio >
Visualize and optimize your security posture in just minutes.
Learn more about Security Advisor (available in every bundle). >
* Pricing
< Pricing
Personal pricing
Protect your personal devices and data
Small office/home office pricing
Protect your team’s devices and data
Business pricing (5+ employees)
Step up your corporate endpoint security. Save up to 45%
* Partners
< Partners
Explore Partnerships
Partner Solutions
* Resellers
* Managed Service Providers
* Computer Repair
* Technology Partners
* Affiliate Partners
Contact Us
* Resources
< Resources
Learn About Cybersecurity
* Antivirus
* Malware
* Ransomware
Malwarebytes Labs – Blog
* Glossary
* Threat Center
Business Resources
* Reviews
* Analyst Reports
* Case Studies
Press & News
Reports
The State of Malware 2024 Report
Read report
* Support
< Support
Malwarebytes Personal Support
Malwarebytes and Teams Customers
ThreatDown Business Support
Nebula and Oneview Customers
Community Forums
Free Download
* Sign In
Search Search
Search Malwarebytes.com
Search for:
SUBSCRIBE rss
Cybercrime
LARGE SCALE GOOGLE ADS CAMPAIGN TARGETS UTILITY SOFTWARE
Posted: October 7, 2024 by Jérôme Segura
After what seemed like a long hiatus, we’ve observed threat actors returning to
malvertising to drop malware disguised as software downloads. The campaign we
identified is high-impact, going after utility software such as Slack, Notion,
Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the
Mac version of communication tool Slack.
Following the creation of advertiser identities belonging to real businesses,
the threat actors launch their malicious ads, hiding their infrastructure behind
several layers of fingerprinting and cloaking.
We have reported these incidents to Google and the related advertisers have been
banned. However, we are still finding new malicious ads and hearing from others
seeing the same, indicating that this campaign is not over yet.
WANTED: UTILITY SOFTWARE
The threat actor is abusing various platforms to host their payloads, giving
insights into what they are choosing to lure in victims. For Windows users, all
payloads were found in various GitHub accounts which we have reported already.
For Mac, we saw payloads originating from the same domain via PHP scripts using
identifiers. These appear to be created for individual and perhaps time-based
downloads. Other links that include the name of the software (i.e.
clockify_mac.php) work regardless.
creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php
creativekt[.]com/macdownloads/script_66ffc3cf465a45.36592714.php
creativekt[.]com/macdownloads/clockify_mac.php
creativekt[.]com/macdownloads/script_66e6ba358cd842.42527539.php
IMPERSONATING TWO IDENTITIES AT ONCE
When we searched for Slack from the US, the top Google result was an ad that
looked completely trustworthy. It had the brand’s logo, official website and
even detailed description.
If you follow this blog, you probably know there is more to it. By clicking on
the three dots next to the ad, you can see more information about the
advertiser, which in this case is a law firm.
Note: We understand that most users will not—for lack of time, interest or
knowledge—take this step, which is why we offer solutions such as Malwarebytes
Browser Guard that automatically blocks ads.
The “My Ad Center” vignette shows that the advertiser was not verified yet, but
we were able to access their profile and see their collection of ads. There were
four ads in total, and three of them were related to lawyer services using the
name and address of a real company in the US.
The Slack ad was somewhat the odd one sticking out but could, in theory, have
been promoted by this advertiser. What we believe is the problem with Google ads
is how any advertiser can still use the branding of a major company as if they
were them. From the point of view of internet users, this is extremely deceiving
and provides no rail guard against abuse.
After we validated the ad ourselves and saw where it redirected to (a malicious
site), we reported it to Google. Very shortly thereafter, Google took action and
removed not just the ad, but the advertiser.
However, a couple of days later a new ad appeared, once again using a stolen
identity this time from a women’s health company.
DECOY SITE AND PAYLOAD
As we have seen before, the malicious ad starts a redirection chain made of
various click trackers, cloaking and a decoy site. This allows victim profiling,
but more importantly it is used to avoid automated detection in order to keep
the ad up and running as long as possible.
Victims eventually land on a decoy sites, similar to those used for phishing
credentials, except here the end goal is to trick users into downloading
malware.
Windows users get their respective payload hosted on GitHub. The binaries have
been inflated into large files to hinder sandbox analysis and are likely
Rhadamathys infostealer.
For Apple users, the installers are also an infostealer, branched out of the
AMOS (Atomic Stealer) family. Passwords and other secrets found on a system
within the file system, browsers, extensions and apps are grabbed and uploaded
as a zip archive onto a remote server located in Russia:
CONCLUSION
When we investigate ads, we use a simple yet realistic setup that mimics what
most users would have. This is not an automated process, which sometimes
requires multiple attempts from different geographic locations and browser
profiles. While this work can be tedious and time consuming, we believe it is
necessary in order to identify threat actors at the source, therefore providing
protection to the Malwarebytes customer base, but also anyone else that uses the
Google search engine.
Slack is not the only brand that threat actors like to impersonate. In fact, we
also saw and reported malicious ads for the productivity suite Notion. We
noticed that it also shared the same payload hosting infrastructure, indicating
that the two campaigns were related.
If you are still clicking on ads to download software, you take a risk by
allowing fraudulent advertisers to redirect you to malicious sites.
Inadvertently installing malware and getting your identity stolen has never been
easier.
We recommend paying special attention to sponsored results or adopting a tool
such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as
OSX.Poseidon.
--------------------------------------------------------------------------------
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your
devices by downloading Malwarebytes today.
INDICATORS OF COMPROMISE
Malicious hostnames
creativekt[.]com
slack[.]designexplorerapp[.]net
odoo[.]studioplatformapp[.]net
notion[.]foreducationapp[.]com
slack[.]workmeetingsapp[.]com
clockify[.]turnrevenue[.]com
slack[.]aerodrame[.]finance
GitHub repositories
github[.]com/09shubin/asdjh23/releases/download/nhehhh34/
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/
Payloads (Windows)
9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7
Payloads (Mac)
b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd
Command and control servers
85.209.11[.]155
193.3.19[.]251
SHARE THIS ARTICLE
RELATED ARTICLES
Podcast
EXPOSING THE FACEBOOK FUNERAL LIVESTREAM SCAM (LOCK AND CODE S05E21)
October 8, 2024 - This week on the Lock and Code podcast, we speak with Zach
Hinkle and Pieter Arntz about the Facebook funeral livestream scam.
CONTINUE READING 0 Comments
News | Privacy
COMCAST AND TRUIST BANK CUSTOMERS IMPACTED BY DEBT COLLECTOR’S BREACH
October 7, 2024 - A data breach at a US debt collection agency has led to the
loss of data of some Comcast and Truist Bank customers.
CONTINUE READING 0 Comments
Apple | News
IPHONE FLAW COULD READ YOUR SAVED PASSWORDS OUT LOUD. UPDATE NOW!
October 7, 2024 - Apple has fixed a security issue in iOS (and iPadOS) that
could have leaked a user's passwords through the VoiceOver feature.
CONTINUE READING 0 Comments
News
A WEEK IN SECURITY (SEPTEMBER 30 – OCTOBER 6)
October 7, 2024 - A list of topics we covered in the week of September 30 to
October 6 of 2024
CONTINUE READING 0 Comments
Personal
BROWSER GUARD NOW FLAGS DATA BREACHES AND BETTER PROTECTS PERSONAL DATA
October 3, 2024 - Malwarebytes Browser Guard now warns users about recent data
breaches, as well as automatically opting users out of tracking cookies.
CONTINUE READING 9 Comments
ABOUT THE AUTHOR
Jérôme Segura
Sr Director, Research
Contributors
Threat Center
Podcast
Glossary
Scams
Cyberprotection for every one.
FOR PERSONAL
* Windows Antivirus
* Mac Antivirus
* Android Antivirus
* Free Antivirus
* VPN App (All Devices)
* Malwarebytes for iOS
* SEE ALL
COMPANY
* About Us
* Contact Us
* Careers
* News and Press
* Blog
* Scholarship
* Forums
* Vulnerability Disclosure
FOR BUSINESS
* Small Businesses
* Mid-size Businesses
* Larger Enterprise
* Endpoint Protection
* Endpoint Detection & Response (EDR)
* Managed Detection & Response (MDR)
FOR PARTNERS
* Managed Service Provider (MSP) Program
* Resellers
MY ACCOUNT
Sign In
SOLUTIONS
* Digital Footprint Scan
* Rootkit Scanner
* Trojan Scanner
* Virus Scanner
* Spyware Scanner
* Password Generator
* Anti Ransomware Protection
ADDRESS
One Albert Quay
2nd Floor
Cork T12 X8N6
Ireland
3979 Freedom Circle
12th Floor
Santa Clara, CA 95054
LEARN
* Malware
* Hacking
* Phishing
* Ransomware
* Computer Virus
* Antivirus
* What is VPN?
* Twitter
* Facebook
* LinkedIn
* Youtube
* Instagram
CYBERSECURITY INFO YOU CAN’T LIVE WITHOUT
Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.
Email Address
* Legal
* Privacy
* Terms of Service
* Accessibility
* Imprint
© 2024 All Rights Reserved
This site uses cookies in order to enhance site navigation, analyze site usage
and marketing efforts. Please see our privacy policy for more information.
Privacy Policy
Cookies Settings Decline All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Privacy Policy
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE AND FUNCTIONALITY
Performance and Functionality
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
ANALYTICS
Analytics
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
ADVERTISING
Advertising
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Decline All Confirm My Choices