Someone has impersonated a well-known media publication and abused the Google Ads ad network, all to deliver the RedLine infostealer malware to people.
A new report from Malwarebytes found a fake WindowsReport website hosted on nearly a dozen different domains.
On the website, the scammers hosted a trojanized version of CPU-Z, a popular utility for Windows that allows users to monitor various hardware components such as CPU clock speeds and the like. The tool was in fact RedLine Stealer, a well-known infostealer that can exfiltrate sensitive system data, saved passwords, payment information, cookies, cryptocurrency wallet information and more.
Multiple similar campaigns
They then created ads and showed them on the Google Ads network, promoting this malicious version of CPU-Z. The cloning of WindowsReport was done to add more legitimacy and reliability to the entire campaign, the researchers speculate. But before users are sent to this website, they are taken through a number of redirects, all to bypass Google’s anti-abuse crawlers.
Some users are redirected to benign pages, while others – who are more suitable to receive RedLine – are redirected to the final website. We don’t know exactly how the attackers choose their victims.
To make matters worse, the installer is digitally signed with a valid certificate, meaning Windows security tools and other antivirus products are unlikely to flag it as malicious.
Malwarebytes analyzed the threat actor infrastructure for this campaign and concluded that it was created by the same people who recently ran the Notepad++ campaign. This campaign, spotted in late October, was similar in that it also included a copy of a legitimate website and some malicious ads served through Google Ads.
The best way to stay safe is to be extra careful when searching for products and solutions on Google, and to always check the URL in the address bar before downloading anything.