Google Pay-Per-Click Ads in Search Lead to download Redline, Taurus, Tesla & Amadey Malware

The cybersecurity researchers have recently spotted that the danger stars are now targeting the Google Pay Per Click to promote their malware like Redline, Taurus, Tesla, and Amadey.

In a report, the experts have declared that hackers are now abusing Google Adwords to promote malware through PPC (pay-per-click) advertisements on Google Search.

After the investigation done by Morphisec, they declared that the pay-per-click (PPC) advertisements in Googles search results are leading users to download harmful bundles of AnyDesk, Dropbox, and Telegram that are particularly wrapped as ISO images.

Working System of These Attack Chains

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity, and hacking news updates.

From a sent kind thats commanded by “get.php” Taurus downloads the results, when it comes to the Taurus website there were no redirects to websites. In other words, it utilizes the website straight to deliver the malicious bundles of those popular apps that are wrapped as ISO images.

Why Google Snannong Failed? Now, this is a big concern, well, Google answered that there is no doubt that it uses special innovation and malware detection tools and they always carry out a regular scan upon all the activities that occur..

After examining these attack chains the security searchers discovered that two malware, Taurus and Redlineare using the very same patterns, certificates, and Command and Control Centre (C2s).

Mini-Redline infostealer sites are signed with Cloudflare certificates much like the Taurus Infostealer sites. Here, to increase the file size of the ISO file it packs the file with undesirable nos.

The researchers verified that if you click on the download button that exists on their websites, it will supervise you to a script execution that validates the IP and provides the artifacts from the remote website.

hxxps:// me.anydesk-pro [] com.
hxxps:// desklop.telegram-home [] com.
hxxps:// pc.anydesk-go [] com.
hxxps:// desklop.anydesk-new [] com.
hxxps:// desklop.pc-whatisapp [] com.
hxxps:// anydesk-en-downloads [] com.
hxxps:// anydesk-one [] com.
hxxps:// anydesk-top [] com.
hxxps:// anydesk-connect [] com.
hxxps:// anydesk-vip [] com.

Websites that get the traffic from the PPC ads.

Not only that even Google put three-month of suspension on the purchasers ad account whose ads consist of malware.

Unlike others, various communication channels are used by the Mini-Redline infostealer; however, still, it also utilizes the direct TCP socket connection too.

Nevertheless, all these above-mentioned sites running advertisements might be quickly altered by the opponents, since, these malvertisements arent advanced attacks.

Mini-Redline Infostealer.

The Redline infostealer is a kind of malware that is obviously found in underground online forums, and the sites of this details thief is signed by a Sectigo certificate.

Redline Infostealer.

Taurus Infostealer.

The security researchers were keeping a close eye on the pay-per-click (PPC) ads on Google search, and after a long investigation, the experts came to know that the danger stars are using 3 attack chains:-.

Redline infostealer.
Taurus infostealer.
Mini-Redline infostealer.

Saved credentials.
Autocomplete information.
Charge card info.

The primary intention of this malware is to collect data from the web browsers like the:-.

They responded that they strictly prohibit or prohibit the advertisement projects when they attempt to connect with the fourth celebration or any sub-syndication to unapproved marketers that begin pulling advertisements distributing malware..

Similar to the 3rd paid advertisement in a look for the popular apps like AnyDesk, Dropbox, and Telegram Taurus infostealer is dispatched. While when it comes to website certification, its signed with a genuine Cloudflare certificate.

These types of occasions validate and produce a circumstance that plainly illustrates, currently, we cant even trust the top search results of Google.

Google Scanning Failed.