Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.
The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.
Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.
Compromised website promotes software crack
While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.
This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.
In particular, it changes the page's title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:
Malvertising via Dynamic Search Ad
Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website's content without the owner's knowledge, automated ads may be entirely misleading.
Circling back to where our investigation started, this is what we first saw when doing a Google search for 'pycharm'. The ad's headline is showing "JetBrains PyCharm Professional" while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad's title promotes (a program for developers) and the ad's description (wedding planning).
What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.
Fake serial leads to malware bonanza
People searching for PyCharm may not take the time to read the ad's description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren't likely to forget:
Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:
Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.
Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.
Summary
This incident is not your typical malvertising case and in fact, it's unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.
From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.
Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.
We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.
We have informed the wedding planner business that their website is currently compromised and leading to malicious content.
Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:
Indicators of Compromise
Download URL for fake serial:
eplangocview[.]com/wp-download/File.7z
Subsequent malware download URLs:
roberthamilton[.]top/timeSync[.]exe
109[.]107[.]182[.]2/race/bus50[.]exe
171[.]22[.]28[.]226/download/Services[.]exe
experiment[.]pw/setup294[.]exe
medfioytrkdkcodlskeej[.]net/987123[.]exe
171[.]22[.]28[.]226/download/WWW14_64[.]exe
185[.]172[.]128[.]69/newumma[.]exe
194[.]169[.]175[.]233/setup[.]exe
171[.]22[.]28[.]221/files/Ads[.]exe
171[.]22[.]28[.]213/3[.]exe
lakuiksong[.]known[.]co[.]ke/netTimer[.]exe
stim[.]graspalace[.]com/order/tuc19[.]exe
neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe
pic[.]himanfast[.]com/order/tuc15[.]exe
85[.]217[.]144[.]143/files/My2[.]exe
galandskiyher5[.]com/downloads/toolspub1[.]exe
gobr1on[.]top/build[.]exe
flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe
632432[.]space/385118/setup[.]exe
yip[.]su/RNWPd[.]exe
potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe
185[.]216[.]71[.]26/download/k/KL[.]exe
walkinglate[.]com/watchdog/watchdog[.]exe
walkinglate[.]com/uninstall[.]exe