Threat Research

“Fraudulent Slack Ad Highlights Malvertiser’s Patience and Expertise”

Malwarebytes

Malvertisers exploited Google search ads to deliver a Slack-themed campaign that cloaks content and uses click tracking to evade detection. Malwarebytes linked the malicious activity to SecTopRAT infrastructure, reported it to Google, and highlighted the importance of contextual detection. #Slack #SecTopRAT #Malvertising #GoogleAds #Cloudflare #Cloaking #ClickTracker

Keypoints

  • Nearly 500 unique malvertising incidents related to Google search ads reported in the past year.
  • Attackers employ stealth tactics to bypass security controls, including cloaking and “cooking” ads before weaponization.
  • A suspicious Slack ad appeared in Google search results and was initially redirected to Slack’s official site.
  • Advertisers’ products showed red flags for Asia-market targeting, suggesting contextual targeting anomalies.
  • The final URL redirected to a click tracker and then to decoy pages impersonating Slack.
  • The malware payload connects to a server linked to SecTopRAT and is linked to prior malvertising campaigns (e.g., NordVPN impersonation).
  • Detection improvements by Malwarebytes and flagging by Google/Cloudflare helped mitigate the campaign; key IOCs include redirect URLs, cloaking domains, and decoy sites.

MITRE Techniques

  • [T1566] Phishing – Malicious ads impersonating legitimate services to lure victims. Quote: “Malicious ads impersonating legitimate services to lure victims.”
  • [T1071] Command and Control – Remote connection to a server for malware delivery. Quote: “Remote connection to a server for malware delivery.”
  • [T1003] Credential Dumping – Use of remote access Trojan with stealer capabilities. Quote: “Use of remote access Trojan with stealer capabilities.”
  • [T1027] Obfuscated Files or Information – Use of cloaking techniques to hide malicious content. Quote: “Use of cloaking techniques to hide malicious content.”

Indicators of Compromise

  • [URL] Link redirect – slacklink.sng.link
  • [Domain] Cloaking – haiersi.com
  • [Domain] Decoy sites – slack-windows-download.com, slack-download-for-windows.com
  • [URL] Payload download – zoom2024.online
  • [SHA256] File hash – 59e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2
  • [IP] C2 server – 45.141.87.218

Read more: https://www.malwarebytes.com/blog/cybercrime/2024/08/fraudulent-slack-ad-shows-malvertisers-patience-and-skills

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint