Unnamed threat actors patiently developed a malvertising campaign with multiple layering that ultimately deployed malware. The operation targeted users interested in installing the legitimate Slack communication app, a new report from security company Malwarebytes said.
The fake Slack ads’ advertiser information in the Google Ads Transparency Center showed they registered as CVC International Limited and promoted products for the Asian market.
To avoid being immediately flagged, the deceiving ad led to a price page on Slack’s official website in the beginning. Lately, it redirected to a click fraud detection tool, followed by a click tracker. Then, the ad’s final URL became a domain without malicious content: slack-windows-download[.]com.
However, the security researchers could see the malicious page after tweaking some settings.
The click trackers are followed by one more cloaking domain, resulting in deep layering that makes evaluating an ad harder unless one has specific tools and knowledge of the threat actor’s tactics, techniques, and procedures (TTPs).
This is one of the Google ad ecosystem’s weaknesses, as the Alphabet Inc.-owned service cannot know where users are going after the click tracker since such services can be abused to filter clicks and send traffic to any domain.
Clicking the button to get the app triggers the malware binary download from another domain, and researchers say they saw a hint of a parallel campaign targeting Zoom in the file’s name.
The server used for the remote connection was previously used by SecTopRAT, an infostealer RAT, while this payload was previously used in previous malvertising operations, including fake NordVPN ads.
In the past year, hundreds of unique malvertising incidents related to Google search ads were observed.
Recently, a phishing site masquerading as an official ‘Google Safety Centre’ page deployed malware like Latrodectus and ACR Stealer while pretending to let users download the trusted multi-factor authentication (MFA) app Google Authenticator.
Simultaneously, a fake ad for Authenticator appeared among Google search results, and the advertiser’s identity was even verified by Google.