Attackers Abuse Google Ad Feature to Target Slack, Notion Users

  /     /     /  
Publicated : 23/11/2024   Category : security


Attackers Abuse Google Ad Feature to Target Slack, Notion Users


Campaign distributes malware disguised as legitimate installers for popular workplace collaboration apps by abusing a traffic-tracking feature.



Attackers are once again abusing
Google Ads
to target people with info-stealing malware, this time using an ad-tracking feature to lure corporate users with fake ads for popular collaborative groupware such as Slack and Notion.
Researchers from AhnLab Security Intelligence Center (ASEC) discovered
a malicious campaign
that uses a statistical feature to embed URLs that distribute malware, including the Rhadamanthys stealer, they revealed in a blog post published this week. The feature lets advertisers insert external analytic website addresses into ads to collect and use their visitors access-related data to calculate ad traffic.
However, instead of inserting a URL for an external statistics site, attackers are abusing the feature to enter sites for
distributing malicious code
, the researchers found.
Ads related to the campaign have already been deleted. But when they were still active, clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file, according to ASEC.
In the campaign, Rhadamanthys is disguised as an installer for popular groupware often used by corporate teams for workplace collaboration. Once the malware is installed and executed, it downloads malicious files and payloads from the attackers server.
The ASEC post breaks down how attackers crafted the campaign to show banner ads that contain tracking URLs invisible to the end user that redirect users to an attacker-created and -controlled URL. This ultimate landing page is similar to the actual website of a groupware tool such as Slack or Notion, and it prompts visitors to download and execute the malware, which is distributed in an installer form.
Typical installers used by the campaign are the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer; specifically, attackers used the following executable files: Notion_software_x64_.exe Slack_software_x64_.exe; Trello_software_x64_.exe; and GoodNotes_software_x64_32.exe.
Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses, ASEC said in its blog post, which lists the URLs attackers used to fetch these addresses, which are subsequently delivered to users.
The ultimate payload of the campaign is the
Rhadamanthys stealer
, which gets injected into legitimate Windows files via the %system32% path, according to ASEC. This allows the stealer to exfiltrate users private data without their knowledge, the researchers noted.
Rhadamanthys is popular with attackers and is available for purchase on the Dark Web under a malware-as-a-service model. It acts as a typical stealer to collect system information, such as computer name, username, OS version, and other machine details. It also queries the directories of installed browsers — including Brave, Edge, Chrome, Firefox, Opera Software — to search for and steal browser history, bookmarks, cookies, auto-fills, login credentials, and other data.
The campaign is certainly
not the first time
that attackers have abused Google Ads and its associated features to deliver Rhadamanthys and other malware, and it likely wont be the last. In fact, a campaign identified in January 2023
also used website redirects
from Google Ads and fake-download lures for popular remote-workforce software, such as Zoom and AnyDesk to deliver Rhadamanthys.
Attackers have even abused the dynamic search ads feature of the service to
amplify the effect
of malicious campaigns by creating targeted ads to deliver a flood of malware.
Indeed, as all search engines that provide tracking to calculate ad traffic can be used to distribute malware, users must stay vigilante when accessing links from ads delivered by Google, ASEC warned. Specifically, they should pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ads banner to avoid falling for a malicious campaign, according to the post.
ASEC also posted a comprehensive list of URLs associated with various stages of the campaign to help administrators identify if any corporate users have been affected by it.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Attackers Abuse Google Ad Feature to Target Slack, Notion Users