Ads from Google distribute malware by pushing a Google Authenticator app.
Ads from Google distribute malware by pushing a Google Authenticator app.
Google has fallen victim to its own ad platform, allowing threat actors to create bogus Google Authenticator ads that promote the DeerStealer information-stealing virus.
For years, malicious advertising (malvertising) operations have targeted the Google search platform, where threat actors create ads impersonating well-known software sites and installing malware on users' machines.
To make matters worse, threat actors have been able to generate Google search ads that use authentic domain names, lending credibility to the advertisement.
Malwarebytes discovered a new malvertising campaign in which threat actors produced ads that displayed an advertisement for Google Authenticator when users searched for the software on Google.
The use of 'google.com' and "https://www.google.com" as the click URL, which is plainly not permitted when an advertisement is created by a third party, adds to the ad's credibility.
We've seen this incredibly effective URL cloaking method in previous malvertising operations for KeePass, Arc browser, YouTube, and Amazon. Nonetheless, Google continues to fail to recognize when these impostor ads are created.
Malwarebytes stated that Google verifies the advertiser's identity, highlighting another flaw in the ad ecosystem that threat actors exploit.
When approached about the malvertising effort, Google informed BleepingComputer that they had blocked the phony advertiser identified by Malwarebytes.
When asked how threat actors can run ads impersonating legitimate companies, Google explained that they avoid detection by creating thousands of accounts at the same time and using text manipulation and cloaking to show reviewers and automated systems different websites than a regular visitor would see.
However, the corporation is expanding its automatic tools and human reviewers to help discover and eliminate these illicit campaigns. These actions enabled them to eliminate 3.4 billion advertising, block over 5.7 billion ads, and suspend over 5.6 million advertiser accounts by 2023.
Fake Google authenticator sites:
When the visitor clicks on the fraudulent Google Authenticator advertising, they are taken via a sequence of redirections to the landing website "chromeweb-authenticators.com," which impersonates a legitimate Google gateway.
Malware analysis sandbox firm. ANY.RUN also observed this campaign and shared other landing pages on X. These include domains with similar names, such as authenticcator-descktop[.]com, chromstore-authentificator[.]com, and authentificator-google[.]com.
When you click the 'Download Authenticator' button on one of the bogus sites, it downloads a signed file called "Authenticator.exe" [VirusTotal] from GitHub.
The malware's GitHub repository is named 'authgg', and its owners are 'authe-gogle,' both of which sound like names related with the campaign's theme.
The sample Malwarebytes downloaded is signed by 'Songyuan Meiying Electronic Products Co., Ltd.' one day before the download, but ANY.RUN previously got a payload signed by 'Reedcode Ltd.'
The legitimate signature lends trust to the file in Windows, potentially circumventing security measures and allowing it to run on the victim's system without warning.
When you run the download, it will launch the DeerStealer malware, which steals credentials, cookies, and other information from your web browser.
Users wishing to download software should avoid clicking on promoted Google Search results, use an ad blocker, or save the URLs of software projects they frequently use.
Before downloading a file, make verify that the URL you're using matches the project's official domain. Also, before running any downloaded files, always scan them with an up-to-date antivirus application.