Pay-Per-Click Ads on Google Search Lead to the Serving of Info-Stealers

• Users looking to download popular software like AnyDesk or Telegram may end up downloading malware.
• Malicious actors are abusing Google Adwords to promote their malware-distribution sites and drop digitally signed info-stealers.
• The executables come hidden inside ISO files and feature several layers of obfuscation and anti-analysis systems.

There’s a rise in the number of infections by prevalent info-stealers that circulate the net right now. An explanation for this lies in the potential to abuse Google Adwords to promote the malware through pay-per-click (PPC) ads on Google Search. Morphisec confirmed this after its researchers decided to analyze the phenomenon and figure out the technical specifics that help push info-stealers like ‘Redline,’ ‘Taurus,’ ‘Tesla,’ and ‘Amadey’ out there.

According to the Morphisec report, the Google Search results that have been linked with malware concern terms like AnyDesk, Dropbox, and Telegram, while the installation packages are “weirdly” wrapped as ISO image files.

Most of the PPC ads that promote the info-stealers this way appear on the first page of the search results, which makes this even more tricky for internet users. Moreover, the actor likes to set Adwords to target IP ranges in the United States and other prolific countries, so non-targeted IPs are redirected to legitimate pages to download the real software, not malware.

Upon mounting the ISO image file, the victim opens the extracted folder, which contains digitally signed executables and verified with Cloudflare or Sectigo certificates. This is to avoid AV flags, while the ISO size, which is typically over 100 MB, is also helpful on that part. The executables also have several layers of obfuscation, with the case of the ‘Redline’ featuring four individual layers.

And finally, the info-stealers used feature anti-analysis techniques like virtualization detection and evasion checks through WMI.

The websites that receive the traffic from the PPC ads are the following, so if you happened to land on one of those, don’t download anything.

• hxxps://me.anydesk-pro[.]com/
• hxxps://desklop.telegram-home[.]com/
• hxxps://pc.anydesk-go[.]com/
• hxxps://desklop.anydesk-new[.]com/
• hxxps://desklop.pc-whatisapp[.]com/
• hxxps://anydesk-en-downloads[.]com/
• hxxps://anydesk-one[.]com/
• hxxps://anydesk-top[.]com/
• hxxps://anydesk-connect[.]com/
• hxxps://anydesk-vip[.]com/

Of course, the adversaries can change distribution sites and hooking apps at any time, so vigilance should be a constant element when browsing online and looking to download installer files. With actors paying several thousands of USD to abuse Google Adwords and somehow having the capability to snatch legitimate certificates, it looks like not even the top search results can be trusted.