Businesses use Google Ads to display advertisements to target audiences to increase traffic and sales. Since early December, the IcedID botnet distributors have been exploiting the same, aka SEO poisoning, to lure search engine users into visiting fake sites that lead to malware downloading.

Malvertising through Google Ads

Attackers are selecting and ranking keywords used by popular brands and applications to hijack Google pay-per-click (PPC) Ads, displaying malicious ads above the organic search results.
  • Trend Micro researchers revealed that attackers are hijacking the keywords used by Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others.
  • Attackers abuse the legitimate Keitaro Traffic Direction System (TDS) to filter researcher and sandbox traffic and redirect potential victims to cloned web pages of legitimate organizations and well-known applications.
  • If a user clicks on the Download button, a ZIP file containing a malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded on the user’s system. 
  • The file works as an initial loader, fetching the bot core, and ultimately, dropping a backdoor payload.

Evading detection

In malvertising attacks, IcedID operators have used several methods to make its detection challenging.
  • Some of the files modified to act as IcedID loaders are well-known and widely used libraries such as tcl86.dll, sqlite3.dll, ConEmuTh.x64.dll, and libcurl.dll.
  • The IcedID-modified MSI or installer files are almost identical to the legitimate version, which makes detection challenging for machine learning detection engines and whitelisting systems.

Same malware with different tactics

In the past few months, cybercriminals have used IcedID to gain initial access, establish persistence on the host and perform other illicit operations.
  • In October, attackers were observed using phishing emails in Italian language or English to drop IcedID via ISO files, archives, or macro-laden document attachments.
  • In September, the UAC-0098 group was seen targeting Ukrainian organizations and NGOs in Italy with IcedID and Cobalt Strike payloads.
  • In the same month, Raspberry Robin worm infections were deploying IcedID.


The threat actors behind the IcedID have lately been utilizing a wide variety of distribution methods, expectedly to determine what works against different targets. The relative success of the campaign leveraging Google PPC ads to push malware is something worth watching for. Users must look for signs of fraud or phishing sites and be cautious of any downloads from such sites.
Cyware Publisher