{"id":16221,"date":"2023-07-24T12:18:32","date_gmt":"2023-07-24T12:18:32","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=16221"},"modified":"2023-07-24T12:42:38","modified_gmt":"2023-07-24T12:42:38","slug":"gozi-iceid-malvertising","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/gozi-iceid-malvertising\/","title":{"rendered":"Gozi and IcedID Trojans Spread via Malvertising"},"content":{"rendered":"

Malvertising on Google Search is an unpleasant occurrence where malicious ads appear in search engine results<\/strong>. These ads are meant to help users find relevant information. But unfortunately, some cybercriminals use paid advertisements<\/strong> to entice users to visit harmful websites and deceive them into downloading malicious software.<\/p>\n

How does malvertising work?<\/h2>\n

Malvertising is an attack where malicious code is inserted<\/a> into legitimate online advertising networks. This code usually leads users to harmful websites<\/strong>. <\/p>\n

\"How<\/p>\n

Some malicious actors create fake websites<\/a> that mimic legitimate software sites, using tactics like typosquatting (using misspelled versions of well-known brand and company names as their URL) or combosquatting (combining popular names with random words for their URL). This makes the fake sites appear legitimate<\/strong> to unsuspecting users, as their domain names reference the original software or vendor. The fake web pages are designed to look identical to the real ones<\/strong>, and the threat actors pay to promote the site through search engines to boost its visibility.
\nFake WinRar ad on Google<\/p>\n

\"Fake
Fake WinRar ad on Google search result
<\/figcaption><\/figure>\n

Google has a vast user base, processing over 8 billion daily queries. This makes their search results one of the largest advertising networks<\/strong> available. Unfortunately, a single malicious ad can potentially be viewed by millions of people, causing thousands to click on it. The situation worsens exponentially<\/strong> when at least ten topics contain negative Google ads.<\/p>\n

BatLoader as malware loader<\/h2>\n

BatLoader is a type of malware that enables cybercriminals to download more advanced<\/strong> and harmful malware onto a targeted system. The batch script can download two specific types of malware: IcedID, and Gozi\/Ursnif, a backdoor. <\/p>\n

It’s worth noting that the BatLoader campaign is still using malvertising<\/strong>, unlike IcedID. What’s particularly interesting is that there has been a shift in the type of users being targeted. While malicious ads previously targeted those searching for IT tools<\/strong> in late 2022 and early 2023, more recent campaigns now use AI-related lures to target users searching for devices such as Midjourney and ChatGPT<\/a>.<\/p>\n

IcedID Malware<\/h2>\n

IcedID (a.k.a BokBot) is a type of malware that was first discovered in 2017 and classified as both a banking Trojan and a remote access Trojan (RAT). Experts say IcedID is as powerful as other advanced banking Trojans<\/strong> like Zeus, Gozi, and Dridex. To infect a system, IcedID relies on other malware like Emotet to get initial access. Once it’s in, IcedID can steal financial information<\/strong> and even drop malware like ransomware<\/a>. It’s also capable of moving through a network with ease.<\/p>\n

\"IcedID
Encrypted zip archives<\/figcaption><\/figure>\n

The group called Shatak often sends phishing emails<\/a> to spread malware called IcedID. They attach Microsoft Office documents with macros<\/strong>, .iso<\/code> files, or encrypted .zip<\/code> archives. Once the malware infects a system, it searches for the best way to spread and gain control. It does this by looking for a way to install itself without being detected<\/strong> and then waits for the system to reboot before activating its main module. By doing this, IcedID can blend in with legitimate processes, making it harder to detect<\/strong>.<\/p>\n

Gozi backdoor\/banking trojan<\/h2>\n

URSNIF, the malware known as Gozi that attempts to steal online banking credentials<\/strong> from victims’ Windows PCs, is evolving to support extortionware<\/strong>. This banking trojan has been around since the mid-2000s and is one of the oldest. It has multiple variants and has been known by names such as URSNIF, Gozi, and ISFB. These are the most effective methods for protecting yourself from attack: encountering other malware families, and its source code has been leaked twice<\/strong> since 2016. According to malware analysts, it is now considered a “set of related siblings” rather than a single malware family.<\/p>\n

Malware Mitigation and Prevention<\/h2>\n

Detecting and mitigating malvertising attacks can be challenging<\/strong>, and both end users and publishers must take action to combat this threat. Implementing a comprehensive cybersecurity program at the enterprise level is the best way to protect against malvertising. Organizations can reduce their risk<\/strong> of falling victim to these attacks by taking appropriate precautions.<\/p>\n

These are the most effective methods for protecting yourself from attack:<\/p>\n