Threat Research

Google ad traffic leads to stealer packages based on free software

Securonix

Two sentences summarizing the article: Google ad traffic redirected users to a fake TeamViewer page that delivered malware via a JavaScript download and a Windows Installer package chain. The infection used legitimate-looking software components (IrfanView, AutoHotkey) and a persistent VBScript to communicate with multiple Command and Control servers while constantly shifting domains and hosts. #TeamViewer #IcedID #Gozi #TerminalAppService

Keypoints

  • Google ad traffic led users from a legitimate-looking page to a fake TeamViewer site, triggering malware delivery.
  • The fake page downloaded a JavaScript file (TeamViewer_Setup.js) that retrieved an MSI package only when specific HTTP headers were present.
  • The MSI package contained a VBScript (Terminal_App_Service.vbs) that persisted viaStartup shortcuts and communicated with a C2 server.
  • The VBScript exfiltrated a desktop screenshot and used HTTP requests to contact 46.151.24.226 as part of C2 activity.
  • A second MSI package installed IrfanView and AutoHotkey, then contacted a second C2 server at 185.163.45.221, sometimes delivering additional scripts.
  • The infection artifacts included multiple domains and IPs that frequently changed, complicating detection, with several SHA-256 hashes listed for the malicious files.
  • Practical takeaways include spotting [software name]_Setup.js or [software name]_Install.js as fake installers and noting unencrypted HTTP traffic to an IP as red flags.

MITRE Techniques

  • [T1189] Drive-by Compromise – Criminals have frequently abused Google ad traffic to distribute malware. Quote: “Criminals have frequently abused Google ad traffic to distribute malware.”
  • [T1105] Ingress Tool Transfer – The malicious script is designed to retrieve an .msi file from the following URL. Quote: “The script is designed to retrieve an .msi file from the following URL: hxxps://acehphonnajaya[.]com/csw/ke.msi”
  • [T1059.007] JavaScript – The .js file is retrieved and used to fetch further payloads. Quote: “The malicious .js file hosted on compromised server at: hxxps://coldcreekranch[.]com/z1/”
  • [T1059.005] VBScript – The Terminal App Service.vbs script generates HTTP traffic to a C2 server. Quote: “Terminal App Service.vbs generated HTTP traffic to a Command and Control (C2) server at 46.151.24[.]226.”
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The .vbs file was made persistent through Windows shortcuts in the Startup directory. Quote: “Terminal App Service.vbs… were made persistent through Windows shortcuts at: C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTerminal App Service.lnk”
  • [T1041] Exfiltration Over C2 Channel – The infected host’s screenshot was sent to the C2 server. Quote: “the infected host sent a screenshot of the desktop to the same C2 server at 46.151.24[.]226.”
  • [T1071.001] Web Protocols – C2 communication over HTTP. Quote: “HTTP GET requests to 46.151.24[.]226 occurred several times each minute.” and “POST … to 185.163.45[.]221 (application/x-www-form-urlencoded)”.

Indicators of Compromise

  • [Domain] Malicious redirect and hosting domains – qweiaoer[.]online, ajerlakerl[.]online, baherlakerl[.]online, baherlaker[.]online, dogotungtam[.]com, acehphonnajaya[.]com, coldcreekranch[.]com
  • [IP Address] Command & Control and download hosts – 46.151.24[.]226, 185.163.45[.]221
  • [IP Address] Additional redirect/hosting nodes – 31.41.244[.]55, 31.41.244[.]54, 45.252.250[.]11, 160.153.56[.]0, 194.163.41[.]34
  • [URL] Malicious download and redirect URLs – hxxps://acehphonnajaya[.]com/csw/ke.msi, hxxps://coldcreekranch[.]com/z1/, hxxps://dogotungtam[.]com/teamviewer
  • [File] Names of malicious payloads – TeamViewer_Setup.js, ke.msi, Terminal App Service.vbs, au3.ahk, au3.exe
  • [File] Artifacts and persistence files – C:ProgramData2020au3.ahk, C:ProgramData2020au3.exe, C:ProgramDataCisTerminal App Service.vbs, C:ProgramDataDoredskev.jpg
  • [File] Startup shortcuts for persistence – C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTerminal App Service.lnk, C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTermuTX.lnk
  • [Hash] Malicious file hashes – 4c07101939d10b1096a868a2a62c0b4225009182efc2a7d68154ed6a063f5cb6, 029210065e177399d8e84248e30e6edea12a6f8a80ac9f42a97c308d48599294, 88e48ca479ca12ef5dbcf985d5233e28a79892327b46f564f7ef7be30e478b54, fbb221ee4b17929bddc95beac7d2736709cf1a5c161c3139a1cd90c3f2044420, 8416358966d1bf7c55a5ca02bb37a30b07d0d68384624659523d86077bc3b166, f7e7943fc112819693dca74b40f5b7b304046aeaee064c1757f57358c822cdaa
  • [Path] Infected host directories – C:ProgramData2020au3.ahk, C:ProgramData2020au3.exe, C:ProgramDataCisTerminal App Service.vbs, C:ProgramDataDoredskev.jpg, C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTerminal App Service.lnk, C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupTermuTX.lnk

Read more: https://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376/