“Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking
AhnLab SEcurity intelligence Center (ASEC) has recently detected a malware strain being distributed by using the Google Ads tracking feature. The confirmed cases show that the malware is being distributed by disguising itself as an installer for popular groupware such as Notion and Slack. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker’s server. Below is the list of the file names that have been discovered so far.
This type of malware is being distributed in an installer form, usually as the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer. Among them, the Notion_software_x64_.exe file was seen up until recently when users searched with the keyword “notion” on Google.
The attacker used Google Ads tracking to trick users into thinking they were accessing a legitimate website. Google Ads tracking lets advertisers insert external analytic website addresses to collect and use their visitors’ access-related data to calculate ad traffic. The following figures are examples of the final URL and the tracking template URL that are entered into a Google Ad.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
