Malvertising via Google Dynamic Search Ads exploited a compromised website to indirectly deliver malware to visitors. An auto-generated ad for PyCharm directed users to a hacked page that unleashed a malware bundle after downloading a serial-key installer.
#PyCharm #JetBrains #DynamicSearchAds #Malvertising #MalwareBonanza
#PyCharm #JetBrains #DynamicSearchAds #Malvertising #MalwareBonanza
Keypoints
- Malvertising occurred due to a compromised website combined with Google Dynamic Search Ads that auto-generated an ad for PyCharm.
- Clicking the ad redirected users to a hacked page with an overlay and a link promising a serial key, which led to malware installation.
- The compromised wedding-planning site injected malware into pages, altering titles and presenting spammy overlays.
- Google Ads dynamically generated the ad from the hacked page, making the site owner an unintended intermediary funding their own malicious ad.
- Downloading the provided installer triggered a βmalware bonanza,β delivering over a dozen payloads to the infected machines.
- Malwarebytes detected all payloads; a long list of download URLs and domains/IPs served as indicators of compromise.
MITRE Techniques
- [T1189] Drive-by Compromise β The attack leverages a compromised website to generate and serve malicious ads via Dynamic Search Ads; βWhat happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.β
- [T1204.001] Malicious Link β Users are redirected from the ad to the compromised page where an overlay links to download a serial key; βFrom there, they will be redirected to the compromised page showing the overlay with the link to download the serial key.β
- [T1204.002] Malicious File β The installer download leads to a malware pile; βRunning this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable.β
Indicators of Compromise
- [Domain] β eplangocview[.]com, roberthamilton[.]top
- [IP Address] β 109[.]107[.]182[.]2, 171[.]22[.]28[.]226
- [URL] β eplangocview[.]com/wp-download/File.7z, roberthamilton[.]top/timeSync[.]exe
- [File name] β timeSync.exe, setup294[.]exe