Beware! Advertisements mimicking popular software tools are being used in a widespread malicious campaign that distributes different info-stealers. According to researchers, attackers are primarily leveraging the campaign to deliver IcedID trojan, followed by Vidar Stealer.
What’s the matter?
Active since November 2022, the malvertising campaign lured victims through search engine advertisements that impersonated popular software such as Audacity, Blender, and GIMP.
The attackers bought the advertisements to achieve a higher search engine ranking for software-related queries.
Unsuspecting users who clicked on these advertisements are redirected to a malicious website that looked similar to the original website. However, the domain names differed.
Once the user clicked on the download button, an exe file masquerading as an installer is downloaded on their systems.
In total, 92 domains mimicking different software were identified that could have been or could still be used to distribute IcedID.
Cyble security researchers reported that Rhadamanthys was propagated via Google Ads mimicking AnyDesk, Zoom, Bluestacks, and Notepad++, and was used to steal information from web browsers, cryptowallets, and messaging applications.
In another incident, Microsoft researchers shared details about the abuse of Google Ads by DEV-0569 to deliver BatLoader. The group had mimicked Microsoft Teams, Adobe Flash Player, and LogMeIn as part of the propagation process.
Info-stealers gaining traction among cybercriminals
Owing to the wide range of capabilities, info-stealers have become widely used malware among cybercriminals. The demand is too high that these malware dominate several underground market forums.
RedLine stealer remains at the top and was used in 56% of attacks between July and October 2022.
Aurora, META, Whisper, Gomorrah v5, Erbium, BlackICe, Psigo, and AcridRain are among the others that are gaining popularity on dark web forums.
The sale of these new malware strains, combined with the availability of info-stealer malware source code, will lead to increased sales of victim data on underground marketplaces.
As the latest attack campaign primarily leverages legitimate-looking fake websites to deliver malware, users must cross-check the legitimacy of these sites before downloading any installers. It is also recommended to use MFA across all accounts to mitigate info-stealer malware threats.