Threat actors are utilizing manipulated search results and deceptive Google ads to distribute malware under the campaign named SEO#LURKER, according to cybersecurity company Securonix. The attackers, targeting users searching for legitimate software like WinSCP, employ Google’s Dynamic Search Ads to serve malicious content, directing victims to a compromised WordPress site and then to a phishing site under their control.
The sophisticated attack involves a multi-stage process, enticing users to download malware from a fraudulent WinSCP website. Geoblocking on the malware-hosting site suggests a specific focus on victims in the United States.
The malicious advertisement redirects users to a compromised WordPress site, gameeweb[.]com, which then forwards them to a phishing site controlled by the attackers, as detailed by researchers from Securonix. Google’s Dynamic Search Ads, known for automatically generating ads based on a site’s content, are manipulated to serve these malicious ads leading users to the infected site.
The intricate attack’s ultimate objective is to trick users into downloading malware from a counterfeit WinSCP website, winccp[.]net. The attack employs various tactics, including a correct referrer header to maintain a seamless flow, and victims are ‘Rickrolled’ to a Rick Astley YouTube video if the referrer is incorrect.
In the final stage of the attack, a ZIP file named “WinSCP_v.6.1.zip” is used as the payload, containing a setup executable that utilizes DLL side-loading to execute a DLL file named python311.dll. This DLL downloads and executes a legitimate WinSCP installer, maintaining the deception while discreetly deploying Python scripts in the background.
These Python scripts, “slv.py” and “wo15.py,” establish contact with a remote server controlled by the attackers, allowing them to run enumeration commands on the host.
The attackers’ exploitation of Google Ads to disseminate malware indicates a targeted approach, particularly focusing on users seeking WinSCP software, and the geoblocking reinforces the presumption that victims in the U.S. are the primary targets.x
