https://arstechnica.com/information-technology/2023/02/until-further-notice-think-twice-before-using-google-to-download-software/

Skip to main content
 

  * Biz & IT
  * Tech
  * Science
  * Policy
  * Cars
  * Gaming & Culture
  * Store
  * Forums

Subscribe
 
[                    ]
Close
 

Navigate

  * Store
  * Subscribe
  * Videos
  * Features
  * Reviews

  * RSS Feeds
  * Mobile Site

  * About Ars
  * Staff Directory
  * Contact Us

  * Advertise with Ars
  * Reprints

Filter by topic

  * Biz & IT
  * Tech
  * Science
  * Policy
  * Cars
  * Gaming & Culture
  * Store
  * Forums

Settings

Front page layout


Grid

List

Site theme

light
dark
Sign in

MALVERTISING AS A SERVICE --

Until further notice, think twice before using Google to download
software

Over the past month, Google has been outgunned by malvertisers with
new tricks.

Dan Goodin - Feb 3, 2023 1:29 pm UTC

Until further notice, think twice before using Google to download
software
Enlarge
Getty Images

reader comments

125 with 0 posters participating

Share this story

  * Share on Facebook
  * Share on Twitter
  * Share on Reddit

Searching Google for downloads of popular software has always come
with risks, but over the past few months, it has been downright
dangerous, according to researchers and a pseudorandom collection of
queries.

"Threat researchers are used to seeing a moderate flow of
malvertising via Google Ads," volunteers at Spamhaus wrote on
Thursday. "However, over the past few days, researchers have
witnessed a massive spike affecting numerous famous brands, with
multiple malware being utilized. This is not 'the norm.'"

One of many new threats: MalVirt

The surge is coming from numerous malware families, including
AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar,
Formbook, and XLoader. In the past, these families typically relied
on phishing and malicious spam that attached Microsoft Word documents
with booby-trapped macros. Over the past month, Google Ads has become
the go-to place for criminals to spread their malicious wares that
are disguised as legitimate downloads by impersonating brands such as
Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and
Thunderbird.

On the same day that Spamhaus published its report, researchers from
security firm Sentinel One documented an advanced Google malvertising
campaign pushing multiple malicious loaders implemented in .NET.
Sentinel One has dubbed these loaders MalVirt. At the moment, the
MalVirt loaders are being used to distribute malware most commonly
known as XLoader, available for both Windows and macOS. XLoader is a
successor to malware also known as Formbook. Threat actors use
XLoader to steal contacts' data and other sensitive information from
infected devices.

The MalVirt loaders use obfuscated virtualization to evade end-point
protection and analysis. To disguise real C2 traffic and evade
network detections, MalVirt beacons to decoy command and control
servers hosted at providers including Azure, Tucows, Choopa, and
Namecheap. Sentinel One researcher Tom Hegel wrote:

    As a response to Microsoft blocking Office macros by default in
    documents from the Internet, threat actors have turned to
    alternative malware distribution methods--most recently,
    malvertising. The MalVirt loaders we observed demonstrate just
    how much effort threat actors are investing in evading detection
    and thwarting analysis.

    Malware of the Formbook family is a highly capable infostealer
    that is deployed through the application of a significant amount
    of anti-analysis and anti-detection techniques by the MalVirt
    loaders. Traditionally distributed as an attachment to phishing
    emails, we assess that threat actors distributing this malware
    are likely joining the malvertising trend.

    Given the massive size of the audience threat actors can reach
    through malvertising, we expect malware to continue being
    distributed using this method.

Google representatives declined an interview. Instead, they provided
the following statement:

Advertisement


    Bad actors often employ sophisticated measures to conceal their
    identities and evade our policies and enforcement. To combat this
    over the past few years, we've launched new certification
    policies, ramped up advertiser verification, and increased our
    capacity to detect and prevent coordinated scams. We are aware of
    the recent uptick in fraudulent ad activity. Addressing it is a
    critical priority and we are working to resolve these incidents
    as quickly as possible.

Anecdotal evidence that Google malvertising is out of control isn't
hard to come by. Searches seeking software downloads are probably the
most likely to turn up malvertising. Take, for instance, the results
Google returned for a search Thursday looking for "visual studio
download":

[visual-studio-malvert02-640x290]
Enlarge

Clicking that Google-sponsored link redirected me to downloadstudio
[.]net, which is flagged by VirusTotal as malicious by only a single
endpoint provider:

[download-studio-640x367]
Enlarge

On Thursday evening, the download this site offered was detected as
malicious by 43 antimalware engines:

[dsstudio]
Enlarge

The download is malicious:

[ds-setup]
Enlarge
Page: 1 2 Next -

reader comments

125 with 0 posters participating

Share this story

  * Share on Facebook
  * Share on Twitter
  * Share on Reddit

 
Dan Goodin Dan is the Security Editor at Ars Technica, which he
joined in 2012 after working for The Register, the Associated Press,
Bloomberg News, and other publications. Find him on Mastodon at:
https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com
Advertisement

Channel Ars Technica

- Previous story Next story -

Related Stories

Today on Ars

  * Store
  * Subscribe
  * About Us
  * RSS Feeds
  * View Mobile Site

  * Contact Us
  * Staff
  * Advertise with us
  * Reprints

Newsletter Signup

Join the Ars Orbital Transmission mailing list to get weekly updates
delivered to your inbox.

Sign me up -
 

CNMN Collection
WIRED Media Group
(c) 2023 Conde Nast. All rights reserved. Use of and/or registration on
any portion of this site constitutes acceptance of our User Agreement
(updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1
/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn
compensation on sales from links on this site. Read our affiliate
link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed,
transmitted, cached or otherwise used, except with the prior written
permission of Conde Nast.
Ad Choices