Malicious actors are using Google advertisements and SEO tactics to entice victims into clicking on links poisoned with malware.
According to cyber security company Secureworks, malicious actors have been using poisoned ad installers as Trojans, specifically to spread Bumblebee malware. These ad installers are associated with a number of well-known companies including Zoom, Citrix Workspace, Cisco AnyConnect and OpenAI’s ChatGPT. For example, Secureworks researchers found that a malicious actor had not only created a poisoned ad installer for Cisco AnyConnect, but a fake download page for the malware as well. They were able to do this by exploiting a compromised WordPress site.
Once Bumblebee malware is downloaded, malicious actors most often use it to launch ransomware within the infected device. In one case, Secureworks researchers found that the malicious actor moved laterally across the device, downloading and launching a number of applications and software programs including legitimate remote access tools AnyDesk and Dameware as well as penetration testing malware Colbalt Strike.
By using paid Google ads as well as SEO tactics in their fake download pages, malicious actors are able to ensure that their Trojanized and poisoned uploads are at the top of the Google search results page, meaning victims are more likely to click on them.
An example of this was seen on January 15, 2023, when a cryptocurrency and NFT influencer known as NFT God said that their “entire digital livelihood was violated” after hackers gained access to and stole “a life changing amount of [their] net worth” in funds and NFTs from their digital wallet. The hackers were able to gain access to their funds through a poisoned ad installer masquerading as a legitimate video streaming software, OBS.
After downloading and attempting to run the software, NFT God noticed that it had not properly installed, but dismissed this as a technical difficulty. In actuality, they had introduced malware to their device which allowed malicious users access to their social media accounts and digital wallet.
According to NFT God, the hackers stole “at least 19 ETH, worth almost US?$27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and several other NFTs”.
To prevent falling prey to poisoned ads, only download software and updates from trusted sites and go to the sites directly to avoid clicking on a Trojanized link.