Google Pay-Per-Click Ads in Search Lead to download Redline, Taurus, Tesla & Amadey Malware

The cybersecurity scientists have recently identified that the threat stars are now targeting the Google Pay Per Click to promote their malware like Redline, Taurus, Tesla, and Amadey.

After the examination done by Morphisec, they stated that the pay-per-click (PPC) ads in Googles search results page are leading users to download destructive bundles of AnyDesk, Dropbox, and Telegram that are specifically covered as ISO images.

In a report, the experts have declared that hackers are now abusing Google Adwords to promote malware via PPC (pay-per-click) ads on Google Search.

Working System of These Attack Chains

However, these types of occasions justify and develop a situation that plainly depicts, presently, we cant even trust the top search engine result of Google.

Much like the 3rd paid ad in a look for the popular apps like AnyDesk, Dropbox, and Telegram Taurus infostealer is dispatched. While in the case of website accreditation, its signed with a genuine Cloudflare certificate.

Redline infostealer.
Taurus infostealer.
Mini-Redline infostealer.

hxxps:// me.anydesk-pro [] com.
hxxps:// desklop.telegram-home [] com.
hxxps:// pc.anydesk-go [] com.
hxxps:// desklop.anydesk-new [] com.
hxxps:// desklop.pc-whatisapp [] com.
hxxps:// anydesk-en-downloads [] com.
hxxps:// anydesk-one [] com.
hxxps:// anydesk-top [] com.
hxxps:// anydesk-connect [] com.
hxxps:// anydesk-vip [] com.

Saved credentials.
Autocomplete information.
Credit card details.

After examining these attack chains the security searchers discovered that 2 malware, Taurus and Redlineare utilizing the exact same patterns, certificates, and Command and Control Centre (C2s).

From a sent form thats commanded by “get.php” Taurus downloads the results, as for the Taurus site there were no redirects to websites. In brief, it utilizes the website directly to deliver the harmful plans of those popular apps that are covered as ISO images.

The Redline infostealer is a type of malware that is obviously found in underground forums, and the websites of this info stealer is signed by a Sectigo certificate.

Websites that receive the traffic from the PPC ads.

The primary motive of this malware is to gather data from the browsers like the:-.

Unlike others, different communication channels are used by the Mini-Redline infostealer; however, still, it also uses the direct TCP socket connection also.

Why Google Snannong Failed? Now, this is a huge concern, well, Google answered that there is no doubt that it utilizes exclusive innovation and malware detection tools and they always carry out a regular scan upon all the activities that occur..

The researchers verified that if you click the download button that exists on their sites, it will supervise you to a script execution that validates the IP and delivers the artifacts from the remote website.

Not just that even Google put three-month of suspension on the buyers advertisement account whose ads contain malware.

Nevertheless, they reacted that they strictly forbid or prohibit the advertising campaign when they attempt to link with the fourth party or any sub-syndication to unapproved marketers that start pulling ads dispersing malware..

Taurus Infostealer.

Mini-Redline Infostealer.

Mini-Redline infostealer sites are signed with Cloudflare certificates much like the Taurus Infostealer websites. But, here, to increase the file size of the ISO file it stuffs the file with unwanted zeros.

Nevertheless, the security researchers were keeping a close eye on the pay-per-click (PPC) ads on Google search, and after a long investigation, the specialists came to know that the danger actors are utilizing three attack chains:-.

all these above-mentioned sites running ads might be easily altered by the assailants, because, these malvertisements arent advanced attacks.

Redline Infostealer.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity, and hacking news updates.

Google Scanning Failed.