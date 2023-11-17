Some cyber criminals have exploited manipulated search results and fake ads on Google that have deceived users who, instead of downloading legitimate software such as WinSCP, he made them install malware (adware, in this case) of no small importance.



How users who wanted to download WinSCP were tricked

The cybersecurity company Securonix is ​​still monitoring ongoing activity under the name SEO#LURKER.

“The malicious ad directs the user to a compromised WordPress website, gameeweb[.]com, which redirects the user to a phishing site controlled by attackers“, they have declared security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov in a report.

It is believed that these malicious people take advantage of Google’s dynamic search ads (DSAs), which automatically generate ads based on a site’s content to serve malicious ads that lead victims to the infected site.

The ultimate goal of this complex series of multi-stage attacks is to convince users to click on the fake WinSCP-like sitewinccp[.]net, and download the malware.

“Traffic from the gaweeweb website[.]com to the fake winsccp.com site[.]net depends on whether the referrer header is set correctly“the researchers said. “If the referrer is incorrect, the user is ‘Rickrolled’ and sent to the famous Rick Astley video on YouTube.”

The final payload comes in the form of a ZIP file (“WinSCP_v.6.1.zip”) containing an installation executablewhich, once started, uses the side-loading of DLLs to load and run a DLL file called python311.dll present in the archive.

The DLL, in turn, downloads and runs a legitimate WinSCP installer to further make this deception believable, while silently dropping Python scripts (“slv.py” and “wo15.py”) in the background to trigger the malicious behavior; such a DLL file is, among other things, responsible for also establishing a certain persistence.

Both Python scripts are designed to establish contact with a server controlled by a remote actor to receive further instructions that allow attackers to execute enumeration commands on the host.

“Since the attackers were exploiting Google Ads to spread malware, it can be assumed that targets are limited to those looking for WinSCP software“, the researchers said and added “The use of geoblocking on the site hosting the malware suggests that those in the United States are victims of this attack.”

This isn’t the first time Google’s dynamic search ads have been abused to distribute malware; Not surprisingly, at the end of last month, Malwarebytes has revealed a campaign targeting users searching for PyCharm with links to a hacked website it hosts a fraudulent installer that paves the way for the distribution of information-stealing malware.

Malvertising is grown up several like popularity among cybercriminals in recent years, with numerous malware campaigns who have been using this tactic for attacks in recent months.

Earlier this week, Malwarebytes has revealed an increase in campaigns credit card “skimming” in October 2023, which are estimated to have compromised hundreds of e-commerce websites with the goal of stealing financial information by inserting convincing counterfeit payment pages.

We therefore recommend that users who have accidentally downloaded this fake WinSCP installer, in the meantime, do a good run through Malwarebytes, secondly, it is always better to equip yourself with an AdBlocker when browsing, which is not only a weapon against advertising, but much more.