SecTopRAT bundled in Chrome installer distributed via Google Ads

SecTopRAT bundled in Chrome installer distributed via Google Ads
This article discusses a new scheme where criminals abuse Google Ads to entice users into downloading malware disguised as Google Chrome. The malicious ad leads victims to a fraudulent Google Sites page, ultimately infecting their systems with SecTopRAT. The attackers effectively exploit trust in search engines to distribute their malicious software. Affected: Google users, online security sector, cybersecurity industry

Keypoints :

  • Criminals use Google Ads to trick users into downloading malware.
  • The bait is a false advertisement for Google Chrome.
  • Victims are redirected to a fraudulent Google Sites page.
  • The malware payload is SecTopRAT, a remote access Trojan.
  • Malicious downloads dynamically retrieve payloads from remote sites.
  • Malware includes a fake Chrome installer that installs legitimate Google Chrome to mislead users.
  • Malwarebytes protects users from this attack via Browser Guard and Antivirus.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The malware communicates with command and control using HTTP.
  • T1218.011 – Signed Binary Proxy Execution: Malicious code is injected into the legitimate MSBuild.exe process.
  • T1203 – Exploitation for Client Execution: Users are tricked into executing the downloaded malware.
  • T1060 – Resource Hijacking: The payload masquerades as legitimate software to ensure execution without detection.

Indicator of Compromise :

  • [Domain] launchapps[.]site
  • [URL] hxxps[://]launchapps[.]site/getCode[.]php
  • [URL] hxxps[://]launchapps[.]site/3[.]php?uuid={}_uuid
  • [File] decrypted.exe
  • [File] waterfox.exe
  • [IP Address] 45.141.84[.]208
  • [URL] sites[.]google[.]com/view/gfbtechd/
  • [Malicious URL] chrome[.]browser[.]com[.]dechrome[.]browser[.]com[.]de/GoogleChrome.exe48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55


Full Story: https://www.malwarebytes.com/blog/cybercrime/2025/02/sectoprat-bundled-in-chrome-installer-distributed-via-google-ads