Cybersecurity researchers at Malwarebytes have uncovered a malicious campaign exploiting Google Ads to distribute a tampered version of the popular CPU-Z tool, carrying the Redline info-stealing malware.
Furthermore, this operation, identified by the analysts, shares similarities with a previous one that utilized Notepad++ malvertising for deploying malicious payloads. The attackers host the deceptive Google advertisement for the trojanized CPU-Z on a cloned copy of the legitimate Windows news site WindowsReport, adding an extra layer of trust to the infection process. Clicking the ad initiates a series of redirection steps, and users deemed valid for payload reception are directed to a Windows news site lookalike on various domains.
Additionally, the campaign intricately uses the cloned site to deceive users, leveraging their trust in tech news sites for downloading useful utilities. By clicking the ‘Download now’ button, victims unknowingly receive a digitally-signed CPU-Z installer (MSI file) containing a malicious PowerShell script identified as the ‘FakeBat’ malware loader.
At the same time, the signed installer helps evade detection by Windows security tools and third-party antivirus products, enhancing the attack’s success. The loader fetches a Redline Stealer payload from a remote URL, enabling the threat actors to collect sensitive data, including passwords, cookies, and cryptocurrency wallet information. Users are advised to exercise caution when clicking on promoted Google search results and consider using ad-blockers for enhanced security against such deceptive campaigns.