Last Updated: 2023-01-18 07:31:54 UTC
by Brad Duncan (Version: 1)
Google ads are a common vector for malware distribution. Do a Google search for any popular free software download. Review any search results marked "Ad" or "Sponsored," then check the link to see if anything is unusual.
I've already written two diaries and authored various tweets about this type of activity:
Others have also reported his activity. Recent posts include:
One example of free software routinely spoofed for Google ads is Notepad++. Almost without fail, I can find a fake webpage for Notepad++ every day through Google ads. For today's diary, I found a Google ad for a malicious site at notopod-plos-plus[.]com.
These fake sites copy pages from the real software sites and have links to download the malware.
The URL to download malware was notopod-plos-plus[.]com/bsdf/file.php which redirected to another URL hosting the malware. I found the redirect by using a URL shortner revealer. In this case, I used expandurl.net and found the malware hosted at hxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe. Note the "q" in "obsqroject" in the malware download URL. The malware is 'hosted on a server impersonating the legitimate site obsproject.com.
The downloaded malware was detected by Microsoft Defender as an unrecognized app, so I had some extra clicks to run it.
Post-infection traffic caused by this malware went to a server at 79.137.133[.]225 over TCP port 8081.
Post-infection traffic consists of plain text. Text sent by the server to the infected Windows host was WORK and Accept and Thanks. Data sent by the infected Windows host to the server looks like Base64 text.
Note the server sent WORK once, Accept multiple times and Thanks twice.
This post infection traffic follows patterns seen with previous examples of Aurora Stealer malware.
Indicators of Compromise
Google ad traffic to fake Notepad++ site:
Traffic to download the malware:
Aurora Stealer post-infection traffic:
Downloaded Aurora Stealer malware sample available at:
Sandbox analysis of the Aurora Stealer malware:
Criminal groups frequently use Google ads to distribute malware. These ads frequently lead to fake sites impersonating web pages for legitimate software. In some cases, these malicious files install a copy of the legitimate software and include malware in the background. In other cases like this one, the files just run or install malware.
In most cases, Microsoft Defender warns victims these files are potentially dangerous. Unfortunately, many people click past these warnings and infect their computers.
How can we best prevent these infections? My advice is to follow best security practices and avoid ads when searching for free software downloads on Google.
brad [at] malware-traffic-analysis.net