MasquerAds: The malware campaign defrauding Google Ads

January 10, 2023 - TuxCare PR Team

According to a Guardio Labs report, “MasquerAds” malware targets organizations, GPUs, and Crypto Wallets by using the Google Ads platform to spread malware to users searching for popular software products.

The threat actors operating the malware are said to set up a network of fake sites that are promoted on search engines. When visitors click on them, they are redirected to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.

The threat actors then register the typosquatted domain names with URLs that differ by at least one letter from the original brand. When users click on a MasquerAd, they are taken to a phishing site with a download link to the malicious software, which is usually Racoon Stealer or Vidar.

It then inflicts lethal attacks by leveraging the reach and credibility of Google and well-known software companies. It also makes use of reputable file-sharing services such as Dropbox to distribute the malicious malware. It impersonates legitimate software such as AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom, Audacity, OBS, Libre Office, Teamviewer, Thunderbird, Brave, and others.

Meanwhile, Guardio Labs attributes a large portion of the activity to a threat actor known as Vermux, noting that the adversary “abuses a vast list of brands and continues to evolve.”

Guardio Labs’ Nati Tal used the example of a user searching for Grammarly software. When a user searches for “grammarly,” he claims that they may be directed to a URL that differs from the original by only one letter. In this case, “gramm-arly.com”. This site appears to be the official Grammarly website, which leads users to believe it is the real deal.

Visitors are then directed to a legitimate website: Christian Heating and Air Conditioning. When the user clicks the link, the server redirects the user to the phishing site with a new name, but anything downloaded from the impersonating site contains malware. Google does not detect the phishing site because the redirect occurs on the server side.

In addition, a target who downloads Grammarly from the phishing site will receive the legitimate version of Grammarly. However, it comes with an executable file that causes harm behind the scenes. The said malware is m bloated with zero files to exceed 500 MB in size. Furthermore, less than 1% of the code is tainted with malicious snippets. As a result, it can fly under the radar of most detection tools. MasquerAds will then change the malware in their payload on a regular basis, switching suppliers without affecting the downloadable Grammarly.exe file.

The sources for this piece include an article in TheHackerNews.

Summary