Cybercriminals are using Google search ads to distribute malware disguised as legitimate ads for Slack. This advanced tactic shows how threat actors are getting better at avoiding security measures and detection.
Increase in Malvertising Attacks
Over the past year, almost 500 malvertising incidents tied to Google search ads have been reported. These cases often show similarities, hinting at coordinated efforts by threat actors. Some attackers employ advanced tactics to bypass security, while others are willing to lose accounts and infrastructure to reach their targets. The attack on Slack stands out for its stealth and sophistication.
Slow cooking
For several days, clicking on the Slack ad simply redirected users to Slack’s official pricing page. Threat actors often delay weaponizing their ads, allowing them to ‘cook’ and avoid immediate detection.
Eventually, the ad’s behavior changed. Instead of redirecting to slack.com, it started redirecting to a click tracker. This is a vulnerability in the Google ad ecosystem, as these services can be misused to filter clicks and redirect traffic to any chosen domain. Tracking templates, which are meant to be a feature, have become closely associated with fraudulent activity.
The ad’s final URL changed to slack-windows-download[.]com, a domain created less than a week ago. Although the page appeared automatically generated, possibly using AI, it showed nothing malicious. It seems server-side checks determined that only this decoy page should be displayed at that time.
After adjusting settings, we uncovered the malicious page impersonating Slack, offering a download link to deceive victims. This behavior, known as cloaking, displays different content to different users.
The network traffic capture reveals key points:
- The Google ad URL first redirects to a click fraud detection tool, then to a click tracker, making it difficult for Google to trace the user’s final destination.
- The click trackers are also unaware of what happens next, as they lead to a cloaking domain after passing through a singular tracking link.
This complex layering makes it challenging to assess an ad without specialized tools and a deep understanding of the threat actors’ tactics.
Malware payload
The download button on the malicious page led to a file from a different domain, hinting at a Zoom-targeting campaign. Sandbox analysis revealed a connection to a server linked to SecTopRAT, a remote access Trojan used in other malvertising schemes, including those posing as NordVPN.
Malwarebytes has updated its detection and reported the ad to Google, while Cloudflare has flagged the decoy domains as phishing sites. Despite these actions, malvertisers continue to use various platforms to avoid detection, showing their persistence and strategic approach.
Indicators of Compromise
Link redirectslacklink[.]sng[.]link
Cloakinghaiersi[.]com
Decoy sitesslack-windows-download[.]com
slack-download-for-windows[.]com
Payload downloadzoom2024[.]online
Payload SHA25659e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment