Overview
The rise of malvertising has led to an alarming increase in the number of fraudulent ads targeting unsuspecting users on widely used platforms like Google. These deceptive ads, often appearing legitimate, hide malicious intent and can lead to malware infections, data theft, and system compromise. One particularly sophisticated example of such an attack involved fraudulent Slack ads that were designed to lure users into clicking on links that ultimately redirected them to malicious sites. What sets this campaign apart is the patience and technical expertise demonstrated by the threat actors behind it, as well as their ability to circumvent typical security defenses.
For several days, a seemingly innocent ad for Slack appeared at the top of Google search results, often above the legitimate Slack website. Initially, clicking on the ad only redirected users to Slack’s official site, leading many to assume the ad was benign. However, closer scrutiny revealed a suspicious pattern: the advertiser’s account was promoting products seemingly targeting the Asian market, with the Slack ad appearing incongruously in the middle. This raised concerns about the legitimacy of the ad and hinted at a possible compromise of the advertiser’s account. The situation escalated as the ad behavior changed, eventually redirecting users to a click tracker before reaching its final malicious destination.
This campaign is a prime example of how threat actors use slow cooking tactics, gradually changing the ad’s behavior to evade detection and ensure that it does not immediately trigger red flags. By the time the malicious payload was delivered, the ad had undergone several stages of cloaking and redirection, making it extremely difficult to trace. The attackers took advantage of vulnerabilities in the Google ad ecosystem, using click trackers and cloaking mechanisms to mask the final malicious destination. Once the user was successfully tricked into interacting with the ad, they were redirected to a page designed to impersonate Slack and trick them into downloading malware.
Targets
Information
Individuals
How they operate
The Setup: Contextual Ad Placement and Initial Observations
The campaign began with a seemingly legitimate ad for Slack, strategically placed at the top of Google search results for the term “Slack.” At this stage, clicking the ad redirected users to the official Slack website. This harmless behavior, known as “slow cooking,” is a common tactic employed by threat actors to establish legitimacy and avoid immediate detection by automated systems or manual reviews.
Further analysis revealed anomalies in the advertiser’s account. While most ads targeted products for the Asian market, the Slack ad appeared out of context. This inconsistency raised suspicions of a compromised advertiser account being used to host the malicious campaign. The ad exploited Google’s built-in ad transparency features, providing misleading legitimacy while evading detection.
Cloaking Mechanisms and Delivery Chains
As the campaign matured, the ad’s behavior shifted. Clicking the ad now initiated a series of redirections starting with a click tracker. These trackers, a legitimate feature in online advertising, were abused to obfuscate the ad’s final destination. After passing through one or more click trackers, users were redirected to a domain resembling Slack, such as slack-windows-download[.]com.
Initially, this domain displayed a decoy page with no apparent malicious content. However, the attackers implemented cloaking—a technique that serves different content based on specific conditions, such as the visitor’s IP address, browser settings, or geolocation. When the campaign was fully weaponized, the cloaking mechanism selectively redirected certain users to a malicious page mimicking Slack’s download page. This page hosted a fake download button designed to deliver a malware payload.
Malware Delivery and Payload Analysis
Upon clicking the download button, users unwittingly initiated the download of a malware binary hosted on a different domain. The malware was delivered using a key-based request mechanism, ensuring that only users who traversed the entire ad delivery chain could access the payload. This layered approach added another level of obfuscation, making it challenging for security researchers to analyze the attack.
Dynamic analysis of the downloaded file revealed that it established a remote connection to a known command-and-control (C2) server, previously associated with SecTopRAT—a remote access Trojan (RAT) with data-stealing capabilities. This malware enabled the attackers to gain unauthorized access to infected systems, exfiltrate sensitive data, and potentially execute further malicious actions.
Exploiting Ad Ecosystem Weaknesses
The attackers exploited inherent weaknesses in the Google ad ecosystem. By leveraging click trackers and cloaking, they effectively blinded Google and intermediary trackers to the true nature of the campaign. These techniques created a multi-layered delivery chain that required advanced tooling and contextual analysis to uncover. The use of a compromised advertiser account further added to the complexity, enabling the attackers to blend malicious activity with legitimate ad traffic.
References:
