Cybercrime groups are now leveraging Google Ads and search engines to get users to download malicious software. The aptly named “MasquerAds” mimics legitimate applications like AnyDesk, Dashlane, Grammarly, Malwarebytes, Microsoft Visual Studio, MSI Afterburner, Slack, Zoom, Audacity, OBS, Libre Office, Teamviewer, Thunderbird, Brave, and more.
People who type those keywords into Google should be careful with the results that come up. Under MasquerAds, threat actors create typosquatted domain names whose URLs are at least one letter off from the original brand. But this subtlety may elude normal users. Once users click on a MasquerAd, they land on a phishing site that includes a download link to the malicious software, usually Racoon Stealer or Vidar.
“A newly uncovered technique to abuse Google’s Adwords powerful advertisement platform is spreading rogue promoted search results in mass,” wrote Nati Tal of Guardio Labs in a blog. These search results “redirect ad-clickers to malicious phishing pages,” harnessing Google’s credibility and targeting capabilities.
The Evil Genius of the MasquerAds Campaign
On the face of it, the MasquerAds campaign appears simple. However, it’s anything but that. It finds customers by harnessing Google Ads’ reach. It then redirects to a phishing site to download files, typically hosted on either Dropbox, Google Drive, Discord CDN, or Github. To throw Google Ads off its trail, it uses a fake legitimate site as a front for its activities.
Nati Tal illustrated the sophistication of the MasquerAds campaign with the example of a user searching for Grammarly software. The user typing “grammarly” into Google may get a MasquerAd site, grammalry.org. This URL is just one letter off from the real word. The ad leads to a legitimate site: Christian Heating and Air-Conditioning.
Upon clicking the link, the user is redirected on the server side to the phishing site with a new name, in this instance, “gramm-arly.com”. This site looks like the real Grammarly site, misleading users into thinking it is the real deal. But anything downloaded from the impersonating site will contain malware. And because the redirect happens on the server side, Google doesn’t detect the phishing site.
MasquerAds Avoids Detection on Most Scanners
In addition to using a legitimate site, MasquerAds employs other strategies to avoid detection. A target downloading Grammarly from the phishing site will get the legitimate version of Grammarly. But it’s bundled with an executable file that wreaks damage under the hood.
Additionally, the malware executable is bloated with zero files to make it larger than 500 MB or so — the max size an automated malware scanner allows. Plus, less than a percent of the code is fingerprinted with malicious snippets. This allows it to fly under the radar of most detection tools.
To top it all off, MasquerAds will periodically change malware in their payload. One day, they’ll employ a Raccoon Stealer from Dropbox, and on another, a Vidar Stealer from Github. Yet, this doesn’t change the downloadable Grammarly.exe file.
In fact, the malware executables are sophisticated enough in their design to bypass over 50% of major software security tools. The package raised red flags on Kaspersky, McAfee GW Edition, Fortinet, and BitDefender. But it raised none on McAfee, Malwarebytes, Palo Alto Networks, Microsoft, and Kingsoft.
Why MasquerAds Is So Deadly
MasquerAds uses the reach and credibility of the most powerful search engine (Google) and well-regarded software firms (such as Grammarly) to inflict lethal attacks. It further uses reputable file-sharing services (such as Dropbox) to carry the downloadable, malicious malware.
Intended victims of this campaign are primed users looking for a direct, free solution to an existing problem. For instance, users who download Grammarly to quickly correct errors on a file. Few would ever suspect the top findings on Google’s SERP to be fake — the kind of trust level in these services that the threat actors seek to exploit through a simple redirect.
This campaign is far from trivial, considering Google Ads revenue was USD 209 billion in 2021. Since businesses of all types rely on Google Ads to market their services, campaigns like these contain far-reaching business implications. In such circumstances, business owners and network administrators have a vital role to play.
Network administrators should thoroughly vet all applications before allowing them for use. Further, barring employees from downloading anything from the internet may mean avoiding disastrous consequences later.
It’s important to point out that many malware scanners missed the malware in Grammarly.exe executable. Therefore, experts recommend using only the best malware scanners and antivirus software tools on the market. These tools can quickly identify suspicious files and secure networks.
GPU Targeting through MSI Afterburner
One of the deadliest orchestrators of the MasquerAds campaign is Vermux. This group impersonates software brands popular with users having GPU hardware. MSI Afterburner graphics card holders, who use it to squeeze the most out of their GPU capabilities, are top targets. Gamers and graphic designers use this card, but Vermux uses it to target cryptocurrency miners specifically.
Vermux targets users of this card based in the US and Canada. The operation starts in much the same way as the other MasquerAds campaigns. But this one primarily uses RedLine information stealer malware against potential graphic card buyers.
Once lodged, the RedLine malware operates in the background, stealing passwords, cookies, and browser information. With a focus on crypto mining, the malware drops an XMR miner, exploiting the host computer’s resources to mine cryptocurrency. Like the Grammarly.exe, MSIAfterburnerSetup.msi too rarely returns flags on security providers as per a Virus Total scan.
Where Do We Go from Here?
With enormous resource wealth at its disposal, it’s alarming that Google has failed to protect users against MasquerAds, which has made it to the top of the SERPs. But we can’t solely lay the blame on Google. That would disregard the fact that cybercriminals are employing increasingly creative ways to target unwary users and businesses.
Experts advise users to tread carefully online and double-check domain names. This is especially important since many malware scanners failed to detect suspicious malware in the MasquerAds phishing links. Perhaps, these tools need to be upgraded and made more robust in their operations.
Apart from everyone else, the file hosting services will need to make more effort to ensure the files they host are legitimate. News that this is happening already is a breath of fresh air for users inundated with cyberattacks that increase in sophistication with each passing day. For example, in a welcome development, Github called for mandatory 2FA and secret scanning for all users.
Ultimately, however, everyone will have to shoulder some responsibility in dealing with the Masquerade threat — from users, business owners, administrators, and even governments.