We now have beforehand reported on the model impersonation problem with Google advertisements: customers who seek for standard key phrases are proven malicious advertisements that purport to be from an official vendor.
Not solely does this trick harmless victims into downloading malware or shedding their information to phishing websites, it additionally erodes belief in manufacturers and by affiliation in Google Search itself.
Right now, we present one more instance of brand name misuse, besides that this one targets Google itself. When you have been making an attempt to obtain the favored Google Authenticator (a multi-factor authentication program) through a Google search prior to now few days, you could have inadvertently put in malware in your laptop.
The same distribution website and the identical payload have been beforehand reported by sandbox maker AnyRun. On this weblog put up, we’ll reveal the lacking piece on the prime of the killchain, particularly the Google advert that was concerned in tricking customers into visiting a decoy web site.
Belief however ‘verified’?
The core problem with model impersonation comes from advertisements that seem as in the event that they have been from official sources and advertisers’ identities verified by Google. This was the case right here with this advert for Authenticator:
The reality is Larry Marr has nothing to do with Google, and is probably going a faux account. We are able to observe what occurs once you click on on the advert by monitoring internet visitors. We see a lot of redirects through middleman domains managed by the attacker, earlier than touchdown on a faux website for Authenticator.
Pretend website results in signed payload hosted on Github
The fraudulent website chromeweb-authenticators[.]com was registered through NICENIC INTERNATIONAL GROUP CO., LIMITED on the identical day because the advert was noticed.
Trying on the website’s supply code, we will see the code chargeable for downloading Authenticator.exe from GitHub. Word the feedback from the writer in Russian:
Internet hosting the file on GitHub permits the risk actor to make use of a trusted cloud useful resource, unlikely to be blocked through typical means. Whereas GitHub is the de facto software program repository, not all functions or scripts hosted on it are legit. In actual fact, anybody can create an account and add recordsdata, which is precisely what the risk actor did beneath the username authe-gogle, creating the authgg repository that incorporates the malicious Authenticator.exe:
Trying on the file itself, we will see that it has been digitally signed by “Songyuan Meiying Digital Merchandise Co., Ltd.” simply someday earlier than, and the signature remains to be legitimate on the time of writing:
The malware, DeerStealer, is a type of stealer that can seize and exfitrate your private information through an attacker-controlled web site hosted at vaniloin[.]enjoyable.
Conclusion
Risk actors have been abusing Google advertisements as a solution to trick customers into visiting phishing and malware websites. For the reason that complete premise of those assaults depends on social engineering, it’s completely crucial to correctly distinguish actual advertisers from faux ones.
As we noticed on this case, some unknown particular person was capable of impersonate Google and efficiently push malware disguised as a branded Google product as nicely.
We should always notice that Google Authenticator is a widely known and trusted multi issue authentication instrument, so there may be some irony in potential victims getting compromised whereas making an attempt to enhance their safety posture. We suggest avoiding clicking on advertisements to obtain any type of software program and as an alternative visiting the official repositories instantly.
Malwarebytes blocks entry to the faux Authenticator web site, and we detect the payload as Spy ware.DeerStealer.
Indicators of Compromise
Malicious domains
vcczen[.]eu
tmdr7[.]mother
chromeweb-authenticators[.]com
Payload (stealer)
5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737
C2
vaniloin[.]enjoyable