AhnLab SEcurity intelligence Center (ASEC) recently used Google’s advertising tracking function to detect exactly how malware is being distributed. In a confirmed case, malware disguised as a groupware installation program used by many people, such as Notion and Slack, was distributed. The distributed malware downloads malicious files and payloads from the attacker’s server, and the confirmed file names are as follows.
- Notion_software_x64_.exe
- Slack_software_x64_.exe
- Trello_software_x64_.exe
- GoodNotes_software_x64_32.exe
This type of malware is mainly distributed in the form of Inno Setup installer or NSIS (Nullsoft Scriptable Install System) installer. Among them, the Notion_software_x64_.exe file was confirmed to have been exposed to users when searching for the keyword “notion” on Google until recently.
The attacker used the tracking function of Google advertisements to make it appear to users that they were accessing a normal site.
Google’s advertising tracking function allows advertisers to collect data related to users’ access and use it for statistics by inserting an external statistics site address. The picture below is an example of the final URL and tracking template URL set when inserting a Google ad.
The picture below is a randomly created advertisement screen. You can see that the advertisement shown in the picture below has a tracking URL inserted and is not visible to users. When a user clicks on an ad banner, the user is actually connected to the tracking template URL rather than the final URL shown to the user.
Originally, the tracking function of Google advertisements was used for user access statistics, but the attacker inserted a malware distribution site rather than an external statistics site address.
Currently, the attacker’s advertisement has been taken down, and if you click on the attacker’s advertisement banner at the time of distribution, it actually connects to the address below and leads you to download a malicious file. The confirmed transit address and final connection address are as follows.
Transit address
- hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3yV4nTuE_ptW9t-YIT1-Y_jH70VIcu KX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96OMpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlc WC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE
- hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
- hxxps://cerisico[.]net/
Final connection address
● hxxps://notione.my-apk[.]com
The final accessed page is designed to be similar to an actual collaboration tool page and induces users to download and execute malicious code.
The executed malicious code accesses the address of the malicious payload using a website that can store text, such as textbin or tinyurl. The URL that the attacker accesses to obtain the malicious payload address is as follows.
- hxxp://tinyurl[.]com/4jnvfsns
- hxxp://tinyurl[.]com/4a3uxm6m
- hxxps://textbin[.]net/raw/oumciccl6b
- hxxp://tinyurl[.]com/mrx7263e
When the above address is accessed, the malicious payload download address is returned as a response. The URL of the malicious payload received in response when connecting is as follows.
- hxxps://slashidot[.]org/@abcDP.exe
- hxxps://yogapets[.]xyz/@abcmse1.exe
- hxxps://bookpool[.]org/@Base.exe
- hxxp://birdarid[.]org/@abcDS.exe
Ultimately, the Rhadamanthys malware of the infostealer type is downloaded from the above address, and when executed, the malware is injected and executed into a normal Windows file located in the %system32% path. Because it is executed by a normal file, users may not be aware of the operation of the malicious code and their information may be stolen.
Windows normal files targeted for injection (%system32% path)
● dialer.exe
● openwith.exe
● dllhost.exe
● rundll32.exe
In this case of Rhadamanthys malware distribution, it was confirmed that Google advertisements were used to deceive users. Not only Google, but other search engines that provide tracking functions for statistical services can also be abused by attackers to spread malicious code. Users should check the URL that appears when connected, not the address displayed in the advertisement.
[IOC]
[MD5]
- 9437c89a5f9a51a4ff6d6076083fa6c9
- 12b6229551fbb1dcb2823bc8b611300f
- 33aa3073d148816e9e8de0af4f84582e
- f0a3499f83d2d9066ab19d39b9af6696
- 2498997ab3e66e24bc08d044e0ef4418
- f2590ece758eb32302c504ac3ff413f4
- eef03c8cd2f27ead8b2d59d5cda4cf6e
- 9034cf58867961cde08a20cb1057c490
- f7200603cb8aa9e2b544255ed848c9c0
- 55c310c0319260d798757557ab3bf636
[URL]
- hxxp://tinyurl[.]com/4jnvfsns
- hxxp://tinyurl[.]com/4a3uxm6m
- hxxps://textbin[.]net/raw/oumciccl6b
- hxxp://tinyurl[.]com/mrx7263e
- hxxp ://tinyurl[.]com/253x7rnn
- hxxps://slashidot[.]org/@abcDP.exe
- hxxps://yogapets[.]xyz/@abcmse1.exe
- hxxps://bookpool[.]org/@Base .exe
- hxxp://birdarid[.]org/@abcDS.exe
- hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
- hxxps://pantovawy.page[.]link/jdF1/?url=https: //www.notion.so/pricing%3Fgad_source%3D1&id=8
- hxxps://cerisico[.]net/
[File Diagnosis]
- Trojan/Win.Agent.C5595056 (2024.02.29.02)
- Trojan/Win.Agent.C5592526 (2024.02.23.02)
- Trojan/Win.Agent.C5594794 (2024.02.28.03)
- Trojan/Win.Rhadamanthys.R636740 (20) 24.02. 27.00)
[Behavior Diagnosis]
- Injection/MDP.Event.M10231