Monday November 25, 2024

Advisory ID: NCC-CSIRT-1901-005

Summary:  

Threat actors are using malicious crafted websites for popular free and open-source applications to promote malicious downloads through advertisements in Google search results. Upon a remote attacker's successful exploitation, an information-stealing malware is distributed, giving the attacker access to the victims' cryptocurrency wallets, cookies, Discord tokens, and saved browsers passwords.

Vulnerable Platform(s):  

Google Ads

Threat Type:  Malware

Product :  Browsers, Cryptocurrency wallets, and Discord (A VoIP and Instant Messaging App)

Version:   All versions

Description: 

Research findings from Bleeping-Computer uncovered a long list of software that threat actors impersonate to push malicious downloads in Google Ads search results. The software involved includes Rufus (a free utility for creating bootable USB flash drives), Notepad++, 7-ZIP and WinRAR (popular file compression utilities), and the widely used VLC media player. 

According to the research findings, the threat actors registered location of the applications websites that resemble the official one and copied the main part of the legitimate site up to the download section. For the malicious version, the download goes to a file transfer service. Consequently, many antivirus engines will not detect it as a threat.

Consquences:  

  • Compromise sensitive information of the Victims

Impact/Probability: CRITICAL/HIGH

Solution :
  • Before clicking on an advertisement, check the URL to make sure the site is authentic.
  • Rather than clicking on URLs that appear in an advertisement, type the actual product’s URL into an internet browser’s address bar to access the official website directly.
  • Use an effective ad-blocker extension to protect yourself against this type of threat.
References: