Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Abusing the Ad Network – Threat Actors Now Hacking into Companies via Search

For the past few years, hackers have increasingly targeted customers and businesses with tainted software boosted via ads. The recipe is simple – cyber-criminal groups set up fake websites for high-interest software and promote them on top of the results page through advertisements.

It takes just one search and one click for a user to fall victim to the trick. Testament to that is the series of attacks against prominent crypto-currency figures earlier in 2023 as well as a recent spate of incidents Bitdefender investigated in the second part of the year.

This report is based on an investigation into threat actors’ use of a malicious ISO archive to offer business users more than they bargained for. Besides the software it advertised, the malicious ISO file contained a ZIP archive holding a Python executable and its dependencies. One DLL loaded by the python.exe process was set to execute malicious code in the form of a Meterpreter stager, giving the attackers access to the victim’s computer.

Starting with that subset of indicators, Bitdefender researchers were able to identify more artifacts related to the same campaign that seems to have started at least as far back as May 2023. The malicious ISO archives were distributed using malicious ads that impersonated download pages for applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more.
The same campaign seems to have caught the attention of multiple security researchers, and we would like to join their efforts by sharing our own findings.

This malvertising campaign leads to the propagation of the infection after initial exposure. For as long as they dwell in the victim’s network, the attackers’ primary goal is to obtain credentials, set up persistence on important systems and exfiltrate data, with extortion as the end goal. We also noticed attempts to deploy BlackCat ransomware.

Findings at a glance:

  • A threat actor with previous roots in cybercrime has shifted its initial access techniques to search engine advertisements to hijack searches for business applications such as AnyDesk, WinSCP, Cisco AnyConnect, Slack, TreeSize and potentially more;
  • Our research shows that the actor(s) has successfully used this type of attack since late May 2023.
  • Based on our threat insights, attackers seem to exclusively focus on North America. Until now, we have identified six target
    organizations in the US and one in Canada.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.

Download the research paper




Victor VRABIE is a security researcher at Bitdefender Iasi, Romania. Focusing on malware research, advanced persistent threats and cybercrime investigations, he's also a graduate of Computer Sciences.

View all posts

I'm a veteran security researcher with more than a decade of experience. His research is mostly focused on exploits, advanced persistent threats, cybercrime investigations, and packing technologies.

View all posts

You might also like