This Google Ads Campaign Promotes Malware That Is Undetectable By Your Antivirus Software

Cybersecurity researchers have spotted a new advertising campaign on the Google Ads network that pushes malware onto unsuspecting victims’ endpoints. What makes this malware marketing campaign different from others is the fact that the malware being distributed is almost impossible for today’s antivirus solutions to pick up.

The threat actors made it work by writing code that only virtual machines could understand. If the victims run the malware, the virtual machine can translate the code back to its original code and run the malicious executable.

The researchers, from SentinelLabs, explain the MO: “Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands.”

Delivering Formbook

“A virtual machine engine executes the virtualized code by translating it into the original code at runtime.”

This type of malware also makes analysis difficult, the researchers added. “When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms.”

The malware being distributed this way is Formbook, a known info-stealer. Its virtualized version was dubbed “MalVirt.” To trick people into downloading the malware, the threat actors created several fake websites, pretending to be landing pages where people could download the Blender 3D software.

Blender 3D is a popular 3D modeling, rendering, and animation program.

This is not the first time Google’s ad network has been abused to deliver malware. In late December last year, researchers spotted a major campaign impersonating several popular programs and applications, such as Grammarly, MSI Afterburner, and Slack, to deliver IceID and Racoon Stealer, both known information-stealing malware.

Malicious campaigns that make their way to Google Ads are arguably more dangerous, as people tend to trust major tech companies by default. Still, the best way to stay safe is to always double-check the address of the website, regardless of whether it’s being advertised on Google or not.

Via: BleepingComputer