According to a new article published by security firm Morphisec, threat actors are using paid-for Google ads to help distribute several pieces of info stealing malware. This is done by the threat actors abusing the Pay Per Click (PPC) functionality of Google AdWords in such a way that the ads paid for by the threat actors often appeared at the top of search queries. This further highlights the need for individuals to adopt a zero-trust policy even when using trusted services.
Researchers discovered that the offending pieces of malware were being distributed via ISO images that would be downloaded when a user clicked the ad and was redirected to a website hosting the malicious payload. An ISO Image is an archive file that was developed to contain an identical copy, or image, of data typically found on an optical disc like a CD or DVD. The image can also be used to distribute large files that could then be burned onto a disk or for backing up data that would be stored on a disk. As the image is a sector-by-sector copy of the original no compression is used to reduce the size of the file. Operating systems can allow for images to mount as a virtual disk. This allows the machine to access the contents of the image as if an optical disk were inserted.
This method of using ISO images to mount virtual disks was quickly picked up on by hackers as a method to distribute malware. Malware packaged in ISO images can be sent via email or as in the campaign discovered by Morphisec, via malicious websites used to download the image to the victim’s machine. ISO images have also been used in the past to distribute other info stealing malware strains including LokiBot.
Returning to the campaigns discovered by Morphisec, the ISO images distributing malware are larger than 100 MB. Whether this was intentional or not it meant that certain security products would not be able to detect the intrusion as they are optimized to detect malware hidden in smaller file sizes. It was also discovered that two adversaries were responsible for the attack campaigns. The first was seen distributing the RedLine info, stealer. The second threat actor was seen distributing Taurus and a new info stealer Morphisec has named mini-RedLine. Both adversaries were making use of executables that were signed and verified in several instances but not always.
The executables would be packed in the ISO image and being signed and verified would mean that security products might not detect the malware believing the executables to be legitimate. Info stealing malware can be seen as malicious software designed to steal information stored on the victim’s machine. Information favored by hackers includes stored credit card data and banking credentials as well as any type of account credential that can be of use to the hackers that often store personally identifiable information.
This campaign begins with a potential victim searching for an AnyDesk download. AnyDesk is a platform that allows a user remote access to another machine, often used by IT departments to solve problems without needing to be in front of the machine of the other user. At the time, the search results would return three ads as the top searches. All three were distributing malware. The first two used to distribute RedLine while the second was used to distribute Taurus.
The websites that the ads redirect to are signed with a Sectigo certificate. The website includes several download links with each one downloading the malicious ISO image. Given that potential victims are actively searching for a download and that they were redirected by a Google ad there would be an implicit level of trust on the victim’s side.
Interestingly, the RedLine malware’s database in this campaign shows that it targets browsers of Russian-speaking countries. This might eliminate the possibility that the threat actors reside in countries once forming the Soviet Union. Once downloaded researchers summarized the infection routine as following the below-mentioned path,
“…every ISO file includes a very small .Net executable. In some cases, this executable is also digitally signed...Net executables are obfuscated with known obfuscators such as DeepSea, which leads to a custom obfuscated .Net DLL loader that eventually leads to a custom obfuscated Redline stealer .Net executable.”
The Taurus Infostealer is distributed in a similar way to RedLine but is signed with a legitimate Cloudflare certificate. IN this instance there were no additional website redirects but the download results from a submitted form that is handled by “get.php” and in turn delivers the ISO image directly from the website. If the target is not within the range of interesting IP addresses, users will see a normal redirect to the legitimate application website like in the Redline info stealer.
The infection chain proceeds as follows,
“The downloaded ISO image consists of a 7z SFX executable…The executable includes either 4 “flv” or 4 “bmp” files in the examples we cover below. Sfx is configured to start the execution from the first batch file (masquerading as either flv, bmp or any other unique extension). The batch script is then redirected as input into cmd.exe…This batch script is well documented. It is responsible for the re-creation of the legitimate AutoIt compiler (Ali.exe.com or the Dio.exe.com in the examples above) and the execution of the malicious AutoIt script (Pramide.flv or the Debbano.bmp). Through the re-created compiler, it will fail to execute upon detection of a known sandbox provider. A VirusTotal search for additional 7z SFX archives with a similar evasion will lead to more than 400 different files uploaded in the past month.”
The new kid on the block, Mini-RedLine, was distributed through the same ads as the Taurus campaign, leading researchers to believe that the same threat actor is behind both campaigns. Further, the Mini-RedLine malware is signed with Cloudflare certificates. In total, the malware boasts four layers of obfuscation with the last one being the hollowed Mini-RedLine. Researchers noted,
“Finally, the last layer leads to some known stealing functionalities. An initial static look at the file is reminiscent of Redline; not surprisingly a VT scan for the unpacked file shows that it will confuse even the biggest security vendors. The method and strings implemented as part of the Chrome credential theft are almost identical. In both cases, the databases are copied to a temporary location before being decrypted, using similar methods and class names to do so even though the number of targeted browsers is minimal.”
One of the lessons learned from both campaigns is that threat actors are willing substantial sums on ads to better distribute their malware. Google Adwords data between May 2020 and April 2021 shows a bid price of between 0.42 USD and 3.97 USD for the two keywords “anydesk” and “anydesk download.” For a relatively small campaign targeting users in the United States, this could result in an AdWords bill of thousands of dollars. This leads many to ask exactly how much money the treat actors believed they could make to offset the advertising costs and for how long before they were discovered.