One of the most important skills of any Internet user is the ability to distinguish between advertising and organic links. A core reason for that is that advertising is regularly abused for malvertising campaigns.
Malvertising refers to ads that in one way or another attack the user or the user’s device. A simple example is a download ad that pushes a malicious file onto the user’s system.
Security researchers at ReasonLabs have discovered a malvertising campaign that has been around for at least three years.
The details:
- Polymorphic campaign that installs Chrome and Edge extensions on endpoints.
- Uses multiple attacks, including search hijacking, stealing private data, or executing commands on the user’s device.
- At least 300,000 users fell victim to the campaign until now.
How the attack works
The attackers use advertising to push malicious downloads. They use fake download sites for legitimate applications such as YouTube, VLC, or Roblox FPS Unblocker.
Users who fall for this, you guessed it, download a malicious payload to their systems. Here is what happens next:
- The executable creates a scheduled task, which is designed to run a PowerShell script.
- The PowerShell script downloads a payload from a remote server and runs it on the user’s machine.
- It then begins to make changes to the user’s system:
- Adds policies to enforce the installation of Chrome and Edge installations from the Store (which are malicious).
- Some versions of the script uninstall browser updates.
- Tampers with browser .lnk file to load another extension for communication with a control server and stealing search queries.
- Communicate with command center for status reports and the next stage of execution.
The script blocks uninstallation of the installed extensions, even when Developer Mode of the browser is set to on. Users will also see the “your browser is managed by your organization” message.
The blog post offers a deep dive, which interested or affected users may check out. There is also a section on removing the malware from infected hosts.
This involves:
- Removing the scheduled tasks.
- Removing the planted Registry keys.
- Deleting the malicious files.
Closing Words
The security researchers note that many of the used domains, extensions, and scripts are not detected as malicious at the time of writing. Google and Microsoft were notified according to the blog post.
Which brings us right back to the beginning. Ads are not easily distinguishable from organic results in many cases. Google, for instance, displays a simple “sponsored” text above ads. They look exactly like organic results in any other way.
While experienced users may not have any problems differentiating between the two, less tech-savvy users fall for these.
So, if you want to improve security, you better take a good look at links before you click. If you want to be safer, do not click on ads 🙂
I think a better piece of advice would be to never allow ads to load in a user’s browser in the first place. Always use a recognized adblocker like uBlock Origin with the appropriate filters enabled, or a dedicated adblocker like Adguard.
But I wonder to what degree youtube is complicit in the ads it accepts which, when added to videos may encourage users to inadvertently download malware.