Hackers Exploit Google Ads Tracking Feature To Deliver Malware

Google Ads is a big platform with a wide user base, which makes it attractive to threat actors who want to reach many targets at once.

These malicious ads can also be created or legitimate ones hijacked to spread malware, phishing scams, and other malicious content around.

The complex ad targeting options on Google Ads enable hacking groups to specifically target some demographics, locations, or interests which increases the chances of success.

Google Ads’ pay-per-click model could be deployed for fraudulent actions like click fraud or draining advertising budgets. Given the Google Ads industry’s complexity and widespread reach, detecting and preventing such threats is difficult.

AhnLab Security Intelligence Center (ASEC) has recently discovered that hackers are actively exploiting the Google Ads Tracking feature to deliver malware.

Hackers Exploit Google Ads Tracking

AhnLab discovered malware disguised as popular groupware installers like Notion and Slack, distributed via Google Ads tracking. Upon execution, it fetches malicious payloads from attacker servers.

While the identified malicious file names include:-

Notion_software_x64_.exe
Slack_software_x64_.exe
Trello_software_x64_.exe
GoodNotes_software_x64_32.exe

The ad example shows a tracking URL hidden from users. Clicking the visible banner redirects users to the concealed tracking template URL rather than the displayed final URL.

The hackers abused the Google Ads tracking feature, which is intended for website traffic analysis, to distribute malware from a malicious site instead of legitimate analytics.

When active, the malicious ad redirected clickers to download harmful files under false pretenses before its removal.

Here below we have mentioned the redirection address:-

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE

2. hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8

3. hxxps://cerisico[.]net/

Here below we have mentioned the final landing page:-

hxxps://notione.my-apk[.]com

The final landing page mimicked legitimate groupware sites, tricking visitors into downloading and running the malware.

While post-execution, the malware fetched malicious payload addresses from text-sharing sites like tinyurl.com and textbin.net.

These shared URLs then provided the actual malware download links hosted on compromised domains like slashidot.org, yogapets.xyz, bookpool.org, and birdarid.org, completing the multi-stage infection process.

The Rhadamanthys infostealer malware fetched from the malicious links gets injected into legitimate Windows %system32% files like dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe.

Running via trusted binaries allows it to stealthily steal private data.

This case confirms attackers exploit Google Ads and other search engine ad tracking to distribute malware. Users should carefully verify the URL when accessing sites, and not trust the advertised banner URL.

IoCs

MD5s

9437c89a5f9a51a4ff6d6076083fa6c9
12b6229551fbb1dcb2823bc8b611300f
33aa3073d148816e9e8de0af4f84582e
f0a3499f83d2d9066ab19d39b9af6696
2498997ab3e66e24bc08d044e0ef4418
f2590ece758eb32302c504ac3ff413f4
eef03c8cd2f27ead8b2d59d5cda4cf6e
9034cf58867961cde08a20cb1057c490
f7200603cb8aa9e2b544255ed848c9c0

URLs

hxxp://tinyurl[.]com/4jnvfsns
hxxp://tinyurl[.]com/4a3uxm6m
hxxps://textbin[.]net/raw/oumciccl6b
hxxp://tinyurl[.]com/mrx7263e
hxxp://tinyurl[.]com/253x7rnn
hxxps://slashidot[.]org/@abcDP.exe
hxxps://yogapets[.]xyz/@abcmse1.exe
hxxps://bookpool[.]org/@Base.exe
hxxp://birdarid[.]org/@abcDS.exe
hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
hxxps://cerisico[.]net/