For HomeFor BusinessFor Partners
Whitepapers Anti-Malware Research
2 min read

Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search

Victor VRABIEAlexandru MAXIMCIUC

July 26, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search


For the past few years, hackers have increasingly targeted customers and businesses with tainted software boosted via ads. The recipe is simple – cyber-criminal groups set up fake websites for high-interest software and promote them on top of the results page through advertisements.

It takes just one search and one click for a user to fall victim to the trick. Testament to that is the series of attacks against prominent crypto-currency figures earlier in 2023 as well as a recent spate of incidents Bitdefender investigated in the second part of the year.

This report is based on an investigation into threat actors’ use of a malicious ISO archive to offer business users more than they bargained for. Besides the software it advertised, the malicious ISO file contained a ZIP archive holding a Python executable and its dependencies. One DLL loaded by the python.exe process was set to execute malicious code in the form of a Meterpreter stager, giving the attackers access to the victim’s computer.

Starting with that subset of indicators, Bitdefender researchers were able to identify more artifacts related to the same campaign that seems to have started at least as far back as May 2023. The malicious ISO archives were distributed using malicious ads that impersonated download pages for applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more.
The same campaign seems to have caught the attention of multiple security researchers, and we would like to join their efforts by sharing our own findings.

This malvertising campaign leads to the propagation of the infection after initial exposure. For as long as they dwell in the victim’s network, the attackers’ primary goal is to obtain credentials, set up persistence on important systems and exfiltrate data, with extortion as the end goal. We also noticed attempts to deploy BlackCat ransomware.

Findings at a glance:

  • A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more;
  • Our research shows that the actor(s) has successfully used this type of attack since late May 2023.
  • Based on our threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target
    organizations in the US and one in Canada.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.

Download the research paper

tags

Whitepapers Anti-Malware Research

Author

Victor VRABIE

Victor VRABIE

Victor VRABIE is a security researcher at Bitdefender Iasi, Romania. Focusing on malware research, advanced persistent threats and cybercrime investigations, he's also a graduate of Computer Sciences.

View all posts
Alexandru MAXIMCIUC

Alexandru MAXIMCIUC

I'm a veteran security researcher with more than a decade of experience. His research is mostly focused on exploits, advanced persistent threats, cybercrime investigations, and packing technologies.

View all posts

Right now Top posts

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
Anti-Malware Research

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 08, 2023

5 min read
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
IoT Research Whitepapers

Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

May 02, 2023

2 min read
EyeSpy - Iranian Spyware Delivered in VPN Installers
Anti-Malware Research Whitepapers

EyeSpy - Iranian Spyware Delivered in VPN Installers

January 11, 2023

2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Anti-Malware Research Free Tools

Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor

January 05, 2023

1 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
Anti-Malware Research

New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group
Andrei LAPUSNEANU

February 08, 2024

9 min read
Investigating Worldwide SMS Scams, and Tens of Millions of Dollars in Fraud
Anti-Malware Research

Investigating Worldwide SMS Scams, and Tens of Millions of Dollars in Fraud
Vulnerabilities identified in Bosch BCC100 Thermostat
IoT Research

Vulnerabilities identified in Bosch BCC100 Thermostat
Bitdefender

January 11, 2024

4 min read

Bookmarks

loader