Cybercriminals are once again exploiting Google Ads to distribute malware. This time, they are using a deceptive advertisement for Google Chrome, the world's most popular web browser, to lure unsuspecting users. The malicious campaign involves a fake Google Sites page that serves as an intermediary, similar to previous phishing attacks targeting Google accounts.

Malicious Distribution Tactics

The fraudulent ad appears when users search for "download Google Chrome," leading them to a URL hosted on Google Sites, a platform known for user-generated content. While many pages on this platform are legitimate, its open nature allows for potential misuse by threat actors aiming to appear credible through fake advertisements.

Malware Payload Deployment

Upon clicking the ad, users download a large executable masquerading as the Google Chrome installer. This file not only installs the legitimate browser but also secretly deploys a malware payload known as SecTopRAT. This remote access Trojan (RAT) possesses capabilities to steal sensitive information.

  • Execution Process: The fake installer connects to a remote site to retrieve instructions, requesting administrative privileges to execute certain actions.
  • Bypassing Security: A PowerShell command adds an exclusion path to the %appdata%\Roaming directory, preventing Windows Defender from detecting the malware extraction.
  • Payload Delivery: An encrypted data stream is downloaded and decrypted, resulting in an executable that unpacks the final payload, waterfox.exe, which mimics the Waterfox browser.

Technical Analysis of SecTopRAT

The malicious code is injected into the legitimate MSBuild.exe process, which then communicates with the attackers' command and control server at IP address 45.141.84[.]208. This confirms the presence of SecTopRAT, a Trojan with advanced data-stealing capabilities.

To complete the deception, the installer concludes by downloading and installing the genuine Google Chrome browser. Analysis of the installation script reveals additional campaigns by the same threat actors, targeting users with fake Notion and Grammarly installers.

Indicators of Compromise

  • Google Sites: sites[.]google[.]com/view/gfbtechd/
  • Fake Chrome Download: chrome[.]browser[.]com[.]de, chrome[.]browser[.]com[.]de/GoogleChrome.exe, 48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55
  • Payload Host: launchapps[.]site
  • Decrypted Executable: f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7
  • Waterfox Executable: 0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54
  • Command and Control: hxxps[://]pastebin[.]com/raw/eB8bmiVA, 45.141.84[.]208
The link has been copied!