A menace actor has been abusing Google Advertisements to distribute a trojanized model of the CPU-Z software to ship the Redline info-stealing malware.
The brand new marketing campaign was noticed by Malwarebytes analysts who, based mostly on the backing infrastructure, assess that it’s a part of the identical operation that used Notepad++ malvertising to ship malicious payloads.
Marketing campaign particulars
The malicious Google commercial for the trojanized CPU-Z, a software that profiles laptop {hardware} on Home windows, is hosted on a cloned copy of the official Home windows information web site WindowsReport.
CPU-Z is a well-liked free utility that may assist customers monitor totally different {hardware} parts, from fan speeds, to CPU clock charges, voltage, and cache particulars.
Clicking the advert takes the sufferer by means of a redirect step that tips Google’s anti-abuse crawlers by sending invalid guests to an innocuous web site.
These deemed legitimate to obtain the payload are redirected to a Home windows information web site lookalike hosted on one of many following domains:
- argenferia[.]com
- realvnc[.]professional
- corporatecomf[.]on-line
- cilrix-corp[.]professional
- thecoopmodel[.]com
- winscp-apps[.]on-line
- wireshark-app[.]on-line
- cilrix-corporate[.]on-line
- workspace-app[.]on-line
The rationale behind utilizing a clone of a official web site is so as to add one other layer of belief to the an infection course of, as customers are acquainted with tech information websites internet hosting obtain hyperlinks for helpful utilities.
Clicking on the ‘Obtain now’ button ends in receiving a digitally-signed CPU-Z installer (MSI file) containing a malicious PowerShell script recognized because the ‘FakeBat’ malware loader.
Signing the file with a sound certificates makes it unlikely that Home windows safety instruments or third-party antivirus merchandise working on the machine will serve a warning for the consumer.
The loader fetches a Redline Stealer payload from a distant URL and launches it on the sufferer’s laptop.
Redline is a robust stealer in a position to gather passwords, cookies, and shopping information from a spread of net browsers and functions, in addition to delicate information from cryptocurrency wallets.
To reduce the possibilities of malware infections when searching for particular software program instruments, customers ought to listen when clicking on promoted ends in Google Search and examine the if the loaded web site and the area match, or use an ad-blocker that hides them robotically.
