Malicious Notepad++ Google ads evade detection for months

Malicious Notepad++ Google ads evade detection for months

October 17, 2023 at 03:52PM

A malvertising campaign targeting users searching for the Notepad++ text editor has gone undetected for months. The campaign uses misleading titles in Google search result ads, leading users to a decoy site or a malicious website that serves a payload, likely Cobalt Strike. To avoid downloading malware, avoid clicking on promoted search results and verify the official website through reputable sources.

Based on the meeting notes, here are the key takeaways:

1. A new malvertising campaign targeting users searching to download Notepad++ has been identified. The campaign has been active for several months and has managed to go unnoticed.

2. The malvertising campaign utilizes Google Ads to promote fake software websites that distribute malware, specifically Cobalt Strike, which is often followed by harmful ransomware attacks. The final payload delivered to victims is still unknown.

3. The campaign employs misleading titles in Google Search result advertisements to trick users into clicking on unrelated URLs. The titles are more prominent than the URLs, making it easier for people to fall into the trap.

4. Once users click on the ads, a redirection step is employed to filter out certain types of users, such as crawlers, VPNs, and bots. Non-qualifying clicks lead to a decoy site with no malicious content, while legitimate targets are redirected to a fake Notepad++ website.

5. The fake Notepad++ website features download links for various versions of the text editor. When visitors click on these links, a JavaScript snippet performs a system fingerprint check to validate that the visitor isn’t using a sandbox environment.

6. Suitable targets are served an HTA script, which is assigned a unique ID to track their infections. This payload is served only once per victim.

7. The HTA file appeared in a VirusTotal upload from July, indicating its existence prior to the malvertising campaign. The file attempted to connect to a remote domain on a custom port, suggesting its association with a Cobalt Strike deployment.

To avoid downloading malware when searching for software tools, it is recommended to skip promoted results on Google Search and verify that you have landed on the official domain. If unsure, check the project’s “About” page, documentation, Wikipedia page, and official social media channels for verification.

Full Article