BlackBerry Threat Research tracks two parallel campaigns using the same infrastructure: a Google Ads malvertising campaign pushing fake software (Vidar and IcedID) and a massive spear-phishing campaign impersonating Spain’s tax agency AEAT to harvest credentials. The operations rely on typosquatting, geofenced targeting, and staged domain redirections to reach Spain-based targets.
Keypoints
- Two parallel campaigns shared the same infrastructure but served different purposes (malware distribution vs. credential harvesting).
- First campaign uses Google Ads to promote fake versions of legitimate software (AnyDesk, LibreOffice, TeamViewer, Brave, etc.) and redirect users to malicious sites.
- Malware families Vidar (infostealer) and IcedID (banking Trojan/RAT) are observed in the Google Ads campaign; a separate spear-phishing campaign targets Spain’s AEAT without involving Vidar/IcedID.
- Campaigns leverage typosquatting and a proxy infrastructure, with domains registered under shared IPs and registrars to evade detection.
- The Spain-focused campaign uses spear-phishing emails with malicious links, geofencing to Spain, and multi-stage redirections to fake AEAT portals.
- Appendix details MITRE mappings, IoCs (domains, IPs, hashes), and a phased attack lifecycle (Phase 1–4) leading to credential capture and possible initial access brokering.
MITRE Techniques
- [T1583.001] Acquire Infrastructure – Threat actors acquire infrastructure and domains for use during the campaign, including typosquatting domains registered to host fake sites. ‘Typosquatting is when an attacker banks on users misspelling a web address … The threat actors register misspelled domain names and then use them to host fake sites that look just like the real ones, but which actually contain malware.’
- [T1190] Exploit Public-Facing Application – Web servers were exploited to send emails from those servers. ‘Web servers were exploited to send emails from those servers.’
- [T1566.002] Phishing: Spearphishing Link – Emails sent to the victims with one or two different links. ‘Emails sent to the victims with one or two different links.’
- [T1132] Data Encoding – Threat actors used base64 to encode the email victim in the URL. ‘Threat actors used base64 to encode the email victim in the URL.’
Indicators of Compromise
- [Domain] Tier 1 Infrastructure – madridestepona[.]com, malagacostadesol[.]com, and other registered domains used to redirect victims to Tier 2; context: domains contained in spear-phishing emails to redirect to final malicious sites.
- [Domain] Tier 2 Infrastructure – agenciatributaria[.]pub, agenciatributaria[.]live, agenciatributaria[.]app; context: domains hosting fake AEAT content.
- [IPv4] X-PHP-Script header IPs – 46.173.218[.]229, 46.173.218[.]225; context: resolution of Tier 1/2 domains and Google Ads infrastructure.
- [IPv4] Additional observed IPs – 2.136.9[.]194, 172.64.236[.]102, 79.148.230[.]190, 88.7.50[.]147; context: IPs appearing in X-PHP-Script headers or network artifacts.
- [SHA256] PoC hash – B3BD1659049B6B7023128FEC96F5CCAC4C000214B26FF1A3C4C964AC59A32210; context: PoC discovered in compromised webserver exploiting CVE-2021-4034.
- [URL path] Tier 1 infrastructure paths – /recovery/store.php?, /anuncio/update.php?, /data/entry.php?; context: patterns in Tier 1 paths observed.
- [Domain] Tier 1/2 domain patterns – many domains contain city names (Madrid, Barcelona, Malaga) or AEAT-related terms; context: used for typosquatting and redirection.