A new malicious campaign adds to recent attacks that exploit Google Ads. Researchers discovered that the threat operators had utilised the platform to endorse fake websites on legitimate software and application patches to lure unaware users into downloading the LOBSHOT malware onto their systems.
Researchers claim that the new malware infrastructure came from a notorious cybercriminal group with ties with Dridex, Necurs, and Locky. The group is TA505, meaning this well-known threat group has joined other groups to exploit Google Ads to propagate malware.
The LOBSHOT malware might have already infected numerous users as the cybersecurity attack started months ago.
Multiple infection chains, including the LOBSHOT malware, targeted users looking for legitimate software downloads on Google earlier this year.
In one scenario, the threat actors promoted a malicious ad endorsing the AnyDesk remote application on the Google search engine to lure unsuspecting users. Moreover, the landing pages in that attack looked identical to the original website the campaign operators spoofed. The website also contained a Download Now button redirecting users to an MSI installer.
Once the user presses the button, the page automatically executes the LOBSHOT malware onto the system. Threat actors may have leveraged LOBSHOT for financial purposes since it employs banking trojans, info stealers, and cryptojackers.
It could target about 32 Chrome extensions, 11 Firefox wallet extensions, and nine Edge wallet extensions, allowing its threat actors to steal crypto funds. Lastly, one of the primary abilities of the malware is within its hVNC component, which makes it difficult to detect by AV solutions.
The sudden surge of malware attacks, such as LOBSHOT through Google Ads, implies malicious actors will continue exploring new strategies to expand their attack capabilities. These kinds of malware strains could aid threat actors to move quickly in their initial stage of attacks, enabling them to acquire complete control of infected systems remotely.
Organisations should prepare defences that counter these attacks since it has yet to expand their threat landscape that could target large corporations.
