ClickCease MasquerAds: The malware campaign defrauding Google Ads

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

MasquerAds: The malware campaign defrauding Google Ads

Obanla Opeyemi

January 10, 2023 - TuxCare expert team

According to a Guardio Labs report, “MasquerAds” malware targets organizations, GPUs, and Crypto Wallets by using the Google Ads platform to spread malware to users searching for popular software products.

The threat actors operating the malware are said to set up a network of fake sites that are promoted on search engines. When visitors click on them, they are redirected to a phishing page containing a trojanized ZIP archive hosted on Dropbox or OneDrive.

The threat actors then register the typosquatted domain names with URLs that differ by at least one letter from the original brand. When users click on a MasquerAd, they are taken to a phishing site with a download link to the malicious software, which is usually Racoon Stealer or Vidar.

It then inflicts lethal attacks by leveraging the reach and credibility of Google and well-known software companies. It also makes use of reputable file-sharing services such as Dropbox to distribute the malicious malware. It impersonates legitimate software such as AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom, Audacity, OBS, Libre Office, Teamviewer, Thunderbird, Brave, and others.

Meanwhile, Guardio Labs attributes a large portion of the activity to a threat actor known as Vermux, noting that the adversary “abuses a vast list of brands and continues to evolve.”

Guardio Labs’ Nati Tal used the example of a user searching for Grammarly software. When a user searches for “grammarly,” he claims that they may be directed to a URL that differs from the original by only one letter. In this case, “”. This site appears to be the official Grammarly website, which leads users to believe it is the real deal.

Visitors are then directed to a legitimate website: Christian Heating and Air Conditioning. When the user clicks the link, the server redirects the user to the phishing site with a new name, but anything downloaded from the impersonating site contains malware. Google does not detect the phishing site because the redirect occurs on the server side.

In addition, a target who downloads Grammarly from the phishing site will receive the legitimate version of Grammarly. However, it comes with an executable file that causes harm behind the scenes. The said malware is m bloated with zero files to exceed 500 MB in size. Furthermore, less than 1% of the code is tainted with malicious snippets. As a result, it can fly under the radar of most detection tools. MasquerAds will then change the malware in their payload on a regular basis, switching suppliers without affecting the downloadable Grammarly.exe file.

The sources for this piece include an article in TheHackerNews.

MasquerAds: The malware campaign defrauding Google Ads
Article Name
MasquerAds: The malware campaign defrauding Google Ads
According to a Guardio Labs report, "MasquerAds" malware targets organizations, GPUs, and Crypto Wallets by using the Google Ads platform.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023