Uptick in Malvertising Attacks via Google Ads

Instances of “malvertising” have spiked significantly over the last few months, to the point where downloading software via Google poses a high risk. Cybercriminals have been using Google Ads to push fake download pages for popular software to the top of Google search results.

The alarm was first raised by volunteers at Spamhaus on the 2nd of February. In the past month, they have found fake download pages for popular software such as Microsoft Teams, Slack, Adobe Reader, Gimp, OBS, Tor, and Thunderbird — right at the top of search result pages via Google Ads.

XLoader, Formbook, AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, and Vidar are just some of the malware families responsible for the upsurge. Previously, these families infected devices through Microsoft Office documents with malicious macros. But with Microsoft’s macro-blocking efforts, cybercriminals have been forced to find new methods.

SentinelLabs, an InfoSec research group, observed virtualized.NET malware loaders being distributed through these malvertising attacks. Dubbed by SentinelLabs as Malvirt loaders, they were using an unusually high amount of anti-analysis and anti-detection techniques.

The Malvirt loaders SentinelLabs described were deploying malware known as XLoader, an infostealer malware. This is used to steal personal data from infected devices and as a staging platform for additional malware.

In one example, SentinelLabs found this combination of Malvirt loaders and XLoader malware on fake download pages for the 3D creation suite Blender. These pages were pushed to the top of the search results page for the query “Blender 3D” by Google Ads.

When approached by Ars Technica for an interview, Google representatives declined, issuing the following statement instead:

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Ars Technica found several more instances of Google Ad downloads that were flagged by VirusTotal as malicious, including searches for “Thunderbird,” “Tor download,” and “visual studio download.”

Cybercriminals have consistently devised new ways to hit back despite Google's decades-long efforts to remove harmful sites from ads and search results. Users should be wary when downloading software from Google or other popular search engines.