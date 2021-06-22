



Attackers used malicious Google Ads to capture millions of users who abandoned WhatsApp for Signal and Telegram in early 2021

ESentire, a leading global provider of Managed Detection and Response (MDR) services, previously used Google Search to track two malicious campaigns targeting business professionals (titled Gootloader and SolarMarker) throughout 2021. However, eSentire researchers have identified a third campaign they are currently hiring, an information stealer, RedLine Stealer. According to eSentires’ security research team, Threat Response Unit (TRU), this latest campaign relies on the use of malicious Google Ads and web pages to duplicate legitimate download pages for secure chat applications such as Signal. (Image 5). The purpose of this malicious campaign is to use a fake Signal page to social engineer victims to download and run Redline Stealer. The stolen information may be sold on the dark web or used directly in further intrusion and fraudulent campaigns. Recently, similar malicious Google advertising campaigns using AnyDesk, DropBox, and Telegram as lures have been observed.

In January 2021, users abandoned WhatsApp as an alternative, following an unfavorable update of the Terms of Service. According to analysts, these users have largely moved to Signal and Telegram (see image 1). According to a London Guardian article, in the first three weeks of January, Signal gained 7.5 million users worldwide and Telegram 25 million in the UK, according to figures shared by the UK Parliament’s Interior Commission. Won. Shortly thereafter, cybercriminals used signals and telegram to benefit the market and deploy malicious Google Ads. (See images 2, 3 and 4). For example, when a victim clicks on a malicious ad in Signal, a computer user is taken to the exact replica of the Signals download page (see image 5). TRU used both endpoint and log data to observe contact with these ad domains prior to installing and running RedLine Stealer (Images 7-10). For Telegram (images 9-10), the filename wasn’t as straightforward as SETUP, but the hypothesis that immediately after the incident, the user downloaded the legitimate version of Telegram and the user was looking for a version of Telegram. Supported. to download.

Evidence that a fake ad-based Signal page is malicious is: Most links don’t work on fake Signal pages, but they do work on real Signal pages. Second, the fake page download button (one functioning button) relies on an unknown php script controlled on the server side. When TRU tried to download, a fake Signal page delivered an older version of Signal. This may be the result of the server detecting the security tool being used (Box 1). Third, the top-level domain of fake Signal download pages is not the standard top-level domain. Finally, all suspicious ads share the hosting provider NameCheap. Registration and analysis of hosting parameters across a sample of suspicious sites of the same structure (defined in Urlscan) show the potential for multiple malvertising campaigns (Figure 11).

The threat group behind this campaign may have created this fake Signal page to further convince the victim to visit the actual Signals website. Instead of receiving an installer, AutoIT scripts (Windows programs used to automate various functions) are provided and RedLineStealer is deployed.

TRU observed four cyber incidents in two different organizations from late March to early April. One company is a legal profession and the other is the real estate industry. Interestingly, when a TRU researcher clicks on a malicious web ad and tries to download the Signal installer, an older version (1.40.1) of Signal and Signals from a legitimate Signal website via a suspicious PHP script. An icon was provided (signal.org). TRU’s hypothesis is that RedLine was not offered because the attacker’s infrastructure could detect visitors from virtual machines rather than real computers. One of the indicators that Google Ads may indicate that it is part of this campaign is malicious Google Ads with suspicious top-level domains (TLDs) such as .digital, .link, .store, and .club. Often contains the name of the target. Chat apps in your domain (eg desktop-signal.store).

Attackers who launched these malicious campaigns would have had to spend money on purchasing Google Ads. The cost of these ads depends on many variables, such as the popularity of the keyword (Signal, Telegram, Viber, etc.) and the willingness of other advertisers to pay for the keyword in the ad. We don’t know the total amount that cybercriminals have spent on Google Ads, but we know that buying Keyword Telegram can cost up to $ 0.40 per click and buying Keyword Signal can cost up to $ 1.40 per click. The funding for these ad purchases may itself have been raised by revenue from previous malicious campaigns.

These latest incidents are a further example of drive-by downloads becoming a popular attack vector in 2021. Threat actors are developing features related to hijacking computer users when doing business through Google Search. In the last six months, we’ve used malicious Google search results to identify three different campaigns involving threat actors targeting unsuspecting computer users and business professionals. In addition to the RedLine campaign described here, the campaign seeks free templates for business forms such as invoices, surveys, and receipts, and tempts business professionals to hacker-managed websites hosted on Google Sites. Includes SolarMarker threats that are. Recently, TRU has observed a campaign that leverages Gootloader to infect business professionals by seducing them to web pages that allegedly host various business contract examples.

About RedLineStealer malware

According to research firm Proofpoint, the RedLine Stealer malware first appeared in the Russian underground market in March 2020. Proofpoint reported that the malware is available for sale in several pricing options, including the light version for $ 150 and the pro version for $ 200 and $ 100. Monthly subscription option. RedLine steals login credentials from internet browsers, passwords, and credit card data. It has also been reported that cryptocurrency cold wallets can be stolen. Redline also retrieves information about computer users, devices including usernames, locations, hardware configurations, and installed security software.

Important point:

Comments from Spence Hutchinson, Threat Intelligence Manager at eSentire

Threat actors continue to spend time and money trying to capture and infect as many victims as possible. They spend money buying Google Ads (possibly using stolen credit cards to buy advertising space), and some of the most popular secure chat applications are trusted ads. And spending time creating near-accurate replicas of download pages. For example, Signal, Telegram, Viber, etc. are described by eSentire’s threat intelligence manager Spence Hutchinson. This shows our research team that:

eSentire confirms that Google search results continue to be poisoned by wild drive-by download campaigns. Drive-by download campaigns are becoming a more popular threat vector for cybercriminals. Previously, Marspam was the preferred tactic. However, drive-by download tactics seem to be steadily progressing. Threat actors have recently been successful in using a variety of business resources, such as sample business contracts, sample business forms, and providing ways to download secure chat applications, as temptations. Corporate Internal Security Team External security teams are fully aware of the various tactics attackers are using to direct them to malicious web pages, malicious ads, and malicious documents. You need to make sure that you are. Users should look up the resulting domain in a Google search to make sure they trust it. Employees should always be aware of the free stuff on the internet, especially if they are looking for something to download. Whether it’s suspicious like software cracking or looks harmless like a business form template. , Contract or free secure chat service.Every month, threat actors are finding new ways to intercept Google’s business use to find free ones to download

Image 1: Google searched Telegram and Signal in response to the news that WhatsApps have changed in terms of services.

Image 2. Suspicious advertisement displayed when searching for a word signal

Image 3: Suspicious ads appearing when searching for the word Telegram

Image 4: Suspicious ads appearing when searching for the word Viber

Image 5: Malicious page (http: // desktop-signal)[.]digital /) Disguised as a legitimate Signal download page. Download a reference to the PHP script that will probably be used for filtering.

Image 6: As of April 21, http: // desktop-signal[.]Digital is marked as phishing by CloudFlare

Image 7: Suspicious advertising domain minutes before fake signals are activated via log data.

Image 8: RedLine Stealer generated from suspected Signal download titled SignAL-WIN-53973.EXE

Image 9: Suspicious ad domain minutes before activating the setup file

Image10: Setup file that leads to the operation of RedLineStealer

Image 11: Suspicious ad registration and infrastructure properties

For more information on this threat and how to protect it from it, please visit https://www.esentire.com/get-started.

