Threat Research

Malvertising in Google search results delivering stealers

Securonix

Two sentences: Malvertising campaigns on Google Ads promoted fake pages mimicking Blender 3D and other software to deliver stealers such as RedLine and Rhadamanthys. The dropper uses a pre-installer and a multi-stage loader that downloads, decrypts, and executes a payload in memory, then injects the final stealer into legitimate processes. Hashtags: #RedLine #Rhadamanthys #Blender3D #Notepadplusplus #AMD #Unity #MediaFire #GitHub

Keypoints

  • Attackers use Google Ads to promote fake pages that mimic legitimate software (Blender 3D and AMD drivers) to lure victims.
  • Domain spoofing techniques (typosquatting and combosquatting) create decoy sites with names similar to real vendors to deceive users.
  • Promoted fake pages often differ in domain TLDs and look similar to real sites to increase click-throughs.
  • A multi-stage infection delivers a pre-installer that disguises the actual malware as legitimate software (Blender MSI) to mislead users.
  • The loader uses PowerShell to fetch and decrypt a payload, then executes it in memory and employs LOLBAS techniques via aspnet_compiler.exe.
  • The final payload is a RedLine stealer split across embedded resources and loaded in memory after AES decryption and gzip decompression.
  • Infrastructure relies on over 50 deceptive domains hosted on a single IP (e.g., 91.229.23.200) to host decoy pages and hosting files (MediaFire, GitHub).

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising chains push fake pages via ads to trap users into downloading malware. ‘Google ads promoting fake pages for AMD drivers and the Blender 3D software.’
  • [T1583.001] Acquire Infrastructure – Domains – Threat actors register deceptive domain names that mimic real software sites. ‘The threat actors register deceptive domain names, such as blender3d-software.net or blender3d-software.org.’
  • [T1036] Masquerading – Fake pages look like legitimate software, masking malicious intent. ‘The design and the content of the fake web pages look the same as those of the original ones.’
  • [T1059.001] PowerShell – The loader launches and manipulates PowerShell to run commands. ‘the loader runs a new powershell.exe process and manipulates it to execute numerous PowerShell commands.’
  • [T1105] Ingress Tool Transfer – The payload is downloaded from a remote URL during the PowerShell sequence. ‘Download string data, which is part of the following URL, namely the name of the file: http[:]//45.93.201[.]114/docs/[RandomChars].txt’
  • [T1140] Deobfuscation/Decoding – The payload is decrypted and decompressed before execution. ‘Prepare the decryption method, AES-CBC’ and ‘Decrypt the data into a Gzip-compressed binary.’
  • [T1055] Process Injection – The final payload is injected into a legitimate process (aspnet_compiler.exe). ‘the dropper starts a legitimate process named “aspnet_compiler.exe”… injects the payload into it.’

Indicators of Compromise

  • [IP] 91.229.23.200 – hosting multiple deceptive domains used for decoy pages.
  • [Domain] blender3d-software.net, blender3d-software.org – decoy domains mimicking Blender/Notepad++ style sites.
  • [Domain] afterburner-software.org, tradingviews-software.org, unity-download.com – additional decoy domains referenced in infrastructure.
  • [URL] http://45.93.201.114/docs/[RandomChars].txt – remote URL used to fetch the payload data.
  • [File hash] E0BDF36E4A7CF1B332DC42FD8914BA8B – archive blender-3.4.1-windows-x64.zip downloaded by the user.
  • [File hash] BBA8AA93FCDDA5AC7663E90C0EEFA2E7 – extracted loader within the archive.
  • [File] blender-3.4.1-windows-x64.zip – downloaded file name that contained the loader and MSI for Blender.

Read more: https://securelist.com/malvertising-through-search-engines/108996/