{"id":17661,"date":"2023-11-15T13:18:30","date_gmt":"2023-11-15T13:18:30","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=17661"},"modified":"2024-05-31T00:41:15","modified_gmt":"2024-05-31T00:41:15","slug":"fake-cpu-z-google-ads","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/fake-cpu-z-google-ads\/","title":{"rendered":"Malicious CPU-Z Copy Is Spread In Google Search Ads"},"content":{"rendered":"<p>Attackers are again <strong>abusing the Google Ads platform<\/strong> to distribute malicious advertising and Redline information stealer. This time, the ads advertised <strong>a trojanized version of the CPU-Z tool<\/strong>.<\/p>\n<h2>CPU-Z Malware in the WindowsReport Page Clone<\/h2>\n<p>Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z program. For better disguise, the malware was hosted on a <strong>clone site of the real news site WindowsReport<\/strong>. As the presence of the official site for the product is not that obvious for users, such a trick was quite effective.<\/p>\n<figure id=\"attachment_17696\" aria-describedby=\"caption-attachment-17696\" style=\"width: 613px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Adware-on-Google-Ads-with-Redline-1.jpg\" alt=\"Adware on Google Ads with Redline\" width=\"613\" height=\"215\" class=\"size-full wp-image-17696\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Adware-on-Google-Ads-with-Redline-1.jpg 613w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Adware-on-Google-Ads-with-Redline-1-300x105.jpg 300w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/a><figcaption id=\"caption-attachment-17696\" class=\"wp-caption-text\">Malvertising<\/figcaption><\/figure>\n<p>By clicking on such an advertisement, the victim goes through <strong>a series of redirects<\/strong> that fooled Google&#8217;s security scanners and filtered out crawlers, VPNs, bots, etc., redirecting them to a special decoy site that did not contain anything malicious.<\/p>\n<figure id=\"attachment_17669\" aria-describedby=\"caption-attachment-17669\" style=\"width: 793px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Redirection-after-click-on-Google-Ads.jpg\" alt=\"Redirection after click on Google Ads\" width=\"793\" height=\"173\" class=\"size-full wp-image-17669\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Redirection-after-click-on-Google-Ads.jpg 793w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Redirection-after-click-on-Google-Ads-300x65.jpg 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Redirection-after-click-on-Google-Ads-768x168.jpg 768w\" sizes=\"auto, (max-width: 793px) 100vw, 793px\" \/><\/a><figcaption id=\"caption-attachment-17669\" class=\"wp-caption-text\">Redirects (source: Malwarebytes)<\/figcaption><\/figure>\n<p>Users ended up on a fake news site hosted on one of the following domains:<\/p>\n<ul>\n<li>argenferia[.]com;<\/li>\n<li>realvnc[.]pro;<\/li>\n<li>corporatecomf[.]online;<\/li>\n<li>cilrix-corp[.]pro;<\/li>\n<li>thecoopmodel[.]com;<\/li>\n<li>winscp-apps[.]online;<\/li>\n<li>wireshark-app[.]online;<\/li>\n<li>cilrix-corporate[.]online;<\/li>\n<li>workspace-app[.]online.<\/li>\n<\/ul>\n<p>The result of these manipulations is the chain attack, initiated with FakeBat malware. Further, <strong>this loader injects well-known RedLine infostealer &#8211; an old-timer of the scene.<\/strong><\/p>\n<h2>What is RedLine Infostealer?<\/h2>\n<p>Downloading the CPU-Z installer from the attackers&#8217; resource resulted in the download of an MSI file containing a malicious PowerShell script, which the researchers <strong>identified as the FakeBat malware loader<\/strong> (aka EugenLoader). This downloader extracted the Redline payload from a remote URL and launched it on the victim&#8217;s computer.<\/p>\n<p><strong>Redline is a powerful data theft tool<\/strong> that can steal passwords, session tokens, cookies, and vast amounts of other stuff. We have a dedicated article with the complete tech analysis of this malware &#8211; <a href=\"https:\/\/gridinsoft.com\/spyware\/redline\">consider checking it out.<\/a><\/p>\n<p>Earlier, we wrote about how cybercriminals distribute RedLine infostealer. It uses sites for downloading the <a href=\"\/blogs\/fake-msi-afterburner\/\">fake MSI Afterburner utility<\/a>. To distribute it, various domains were also used as part of the hacker campaign, which could be mistaken by users for <strong>the official MSI website<\/strong>. The imitation of brand resources was done quite well.<\/p>\n<p>According to Google representatives, all malicious ads associated with the hacker campaign to distribute the infected CPU-Z tool have now been removed<\/a>, and <strong>appropriate action has been taken<\/strong> against the accounts associated with them.<\/p>\n<h2>This is not the first time that hackers have used Google Ads<\/h2>\n<p>This exact malvertising campaign <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/11\/malvertiser-copies-pc-news-site-to-deliver-infostealer\" rel=\"noopener noreferrer nofollow\" target=\"_blank\">was discovered by analysts<\/a>, who believe it is part of a previously observed campaign of a similar purpose. Previously, the attackers used fake Notepad++ advertisements to deliver the malware.<\/p>\n<p>In the ads, the attackers promoted URLs that were clearly not associated with Notepad++, and <strong>used misleading titles in their ads<\/strong>. Since headers are much larger and visible than URLs, many people likely didn&#8217;t notice the catch.<\/p>\n<p>Let me remind you that we talked about how malware operators and other hackers <a href=\"\/blogs\/hackers-abuse-google-ads\/\">are increasingly using Google Ads<\/a> to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for <strong>Slack, Grammarly, Dashlane, Audacity, and dozens of other programs.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers are again abusing the Google Ads platform to distribute malicious advertising and Redline information stealer. This time, the ads advertised a trojanized version of the CPU-Z tool. CPU-Z Malware in the WindowsReport Page Clone Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":17664,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[58,28,483,1360],"class_list":{"0":"post-17661","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-google","9":"tag-malware","10":"tag-redline","11":"tag-stealer"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/11\/Google-Ads-and-Redline.jpg","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17661","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=17661"}],"version-history":[{"count":17,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17661\/revisions"}],"predecessor-version":[{"id":17702,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/17661\/revisions\/17702"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/17664"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=17661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=17661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=17661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}