Google Pay-Per-Click Ads in Search Lead to download Redline, Taurus, Tesla & Amadey Malware

In a report, the experts have actually stated that hackers are now abusing Google Adwords to promote malware by means of PPC (pay-per-click) ads on Google Search.

The cybersecurity researchers have just recently spotted that the risk actors are now targeting the Google Pay Per Click to promote their malware like Redline, Taurus, Tesla, and Amadey.

After the examination done by Morphisec, they stated that the pay-per-click (PPC) advertisements in Googles search engine result are leading users to download destructive packages of AnyDesk, Dropbox, and Telegram that are particularly wrapped as ISO images.

Working System of These Attack Chains

Unlike others, various communication channels are used by the Mini-Redline infostealer; but, still, it also utilizes the direct TCP socket connection too.

The Redline infostealer is a sort of malware that is obviously discovered in underground online forums, and the websites of this info stealer is signed by a Sectigo certificate.

Google Scanning Failed.

The scientists verified that if you click the download button that exists on their sites, it will monitor you to a script execution that validates the IP and delivers the artifacts from the remote website.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity, and hacking news updates.

Why Google Snannong Failed? Now, this is a huge concern, well, Google answered that there is no doubt that it utilizes special technology and malware detection tools and they constantly carry out a regular scan upon all the activities that occur..

Mini-Redline infostealer sites are signed with Cloudflare certificates similar to the Taurus Infostealer sites. But, here, to increase the file size of the ISO file it packs the file with undesirable zeros.

Taurus Infostealer.

Redline infostealer.
Taurus infostealer.
Mini-Redline infostealer.

Much like the 3rd paid ad in a look for the popular apps like AnyDesk, Dropbox, and Telegram Taurus infostealer is dispatched. While when it comes to website certification, its signed with an authentic Cloudflare certificate.

Nevertheless, all these above-mentioned websites running ads could be quickly altered by the enemies, because, these malvertisements arent advanced attacks.

The main motive of this malware is to gather information from the internet browsers like the:-.

These types of events validate and create a situation that plainly portrays, presently, we cant even trust the leading search outcomes of Google.

However, they responded that they strictly prohibit or prohibit the ad projects when they attempt to connect with the 4th party or any sub-syndication to unapproved advertisers that begin pulling ads distributing malware..

From a sent kind thats commanded by “get.php” Taurus downloads the results, as for the Taurus site there were no redirects to sites. In other words, it utilizes the website directly to deliver the destructive bundles of those popular apps that are wrapped as ISO images.

Redline Infostealer.

Conserved credentials.
Autocomplete information.
Credit card information.

hxxps:// me.anydesk-pro [] com.
hxxps:// desklop.telegram-home [] com.
hxxps:// pc.anydesk-go [] com.
hxxps:// desklop.anydesk-new [] com.
hxxps:// desklop.pc-whatisapp [] com.
hxxps:// anydesk-en-downloads [] com.
hxxps:// anydesk-one [] com.
hxxps:// anydesk-top [] com.
hxxps:// anydesk-connect [] com.
hxxps:// anydesk-vip [] com.

After examining these attack chains the security searchers found that 2 malware, Taurus and Redlineare utilizing the very same patterns, certificates, and Command and Control Centre (C2s).

Mini-Redline Infostealer.

Websites that receive the traffic from the PPC ads.

Not only that even Google put three-month of suspension on the buyers advertisement account whose advertisements consist of malware.

The security researchers were keeping a close eye on the pay-per-click (PPC) advertisements on Google search, and after a long investigation, the professionals came to understand that the hazard stars are using 3 attack chains:-.