Threat Actors are spreading malware through google ads.

Cybercriminals are employing Google advertisements and search engine optimization (SEO) strategies to lure individuals into clicking on links that contain malicious software.

As reported by cybersecurity firm Secureworks, these malicious actors are utilizing tainted ad installers acting as Trojans, specifically to disseminate the Bumblebee malware. These ad installers are linked to various reputable companies, including Zoom, Citrix Workspace, Cisco AnyConnect, and OpenAI's ChatGPT. For instance, Secureworks researchers discovered that a malevolent actor not only developed a corrupted ad installer for Cisco AnyConnect but also crafted a counterfeit download page for the malware. This was accomplished by exploiting a compromised WordPress site.

Upon downloading the Bumblebee malware, perpetrators frequently employ it to initiate ransomware attacks on the compromised device. In a particular case, Secureworks researchers observed that the malicious actor moved laterally across the device, downloading and executing various applications and software programs, including authentic remote access tools like AnyDesk and Dameware, as well as penetration testing malware like Cobalt Strike.

By utilizing paid Google ads and SEO techniques on their fraudulent download pages, malicious actors ensure that their Trojanized and tainted uploads appear prominently in Google search results. This positioning increases the likelihood of unsuspecting victims clicking on these malicious links.

An illustrative incident occurred on January 15, 2023, when a prominent cryptocurrency and NFT influencer, NFT God, reported a significant breach of their digital assets. Hackers gained unauthorized access and pilfered a substantial amount of funds and NFTs from their digital wallet. The attackers exploited a poisoned ad installer disguised as legitimate video streaming software, OBS, to access the victim's funds.