Keypoints
- Attackers abused Google Ads tracking templates to redirect users from ad banners to malicious landing pages that imitated legitimate software sites.
- Malicious installers were named to resemble groupware (e.g., Notion_software_x64_.exe, Slack_software_x64_.exe) and distributed as Inno Setup or NSIS packages.
- After execution, the installers queried text-hosting services (tinyurl, textbin) to retrieve payload download URLs and then downloaded additional executables from attacker-controlled domains.
- The payload identified is the Rhadamanthys infostealer, which injects into legitimate Windows binaries in %system32% (dialer.exe, openwith.exe, dllhost.exe, rundll32.exe) to evade detection and persist.
- Multiple IOCs were published, including TinyURL/textbin redirectors, direct payload URLs (e.g., slashidot[.]org/@abcDP.exe), and several MD5 hashes of detected samples.
- Users are advised to verify the actual landing URL after clicking ads rather than relying on the visible banner URL, since tracking redirects can conceal malicious destinations.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Use of Google Ads tracking to redirect victims to malicious pages; quote: [‘malware is being distributed by using the Google Ads tracking feature.’]
- [T1204.002] User Execution: Malicious File – Social engineering to get users to run fake installers like Notion_software_x64_.exe; quote: [‘disguising itself as an installer for popular groupware such as Notion and Slack.’]
- [T1105] Ingress Tool Transfer – Downloading additional payloads from attacker-controlled servers after initial execution; quote: [‘it downloads malicious files and payloads from the attacker’s server.’]
- [T1055] Process Injection – Injecting Rhadamanthys into legitimate Windows executables in %system32% to run under trusted processes; quote: [‘injected in legitimate Windows files in the %system32% path.’]
- [T1071.001] Application Layer Protocol: Web Protocols – Using HTTPS/HTTP to fetch payloads from remote URLs such as slashidot[.]org and bookpool[.]org; quote: [‘they respond by giving malicious payload download addresses as a reply.’]
- [T1505] Server Software Component – Abuse of publicly writable text-hosting services (tinyurl, textbin) to store and retrieve payload locations; quote: [‘uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses.’]
- [T1027] Obfuscated Files or Information – Use of installers and indirect redirectors (tracking templates, shorteners) to conceal malicious intent; quote: [‘the ad contains not an external statics site, but a malicious code distribution site.’]
- [T1059.001] Command and Scripting Interpreter: PowerShell – Possible use of scripts to fetch and execute payloads (as noted in analysis); quote: [‘the malware may use PowerShell scripts to fetch and execute the malicious payloads from the URLs provided.’]
- [T1562.001] Impair Defenses: Disable or Modify Tools – Potential attempts by Rhadamanthys to modify or disable security tools to avoid detection; quote: [‘may attempt to disable or modify security tools to avoid detection.’]
- [T1497.001] Virtualization/Sandbox Evasion: System Checks – Malware may check for analysis environments to evade sandbox detection; quote: [‘may perform checks to detect if it is running in a virtualized or sandboxed environment to evade analysis.’]
Indicators of Compromise
- [File names] installer names observed – Notion_software_x64_.exe, Slack_software_x64_.exe
- [URLs] redirection and landing pages – hxxps://notione.my-apk[.]com (final landing), hxxps://pantovawy.page[.]link/jdF1/?url=… (tracking redirect), and other listed domains
- [Payload URLs] direct executable hosts – hxxps://slashidot[.]org/@abcDP.exe, hxxps://bookpool[.]org/@Base.exe, and other payload URLs
- [Text-hosting redirectors] payload pointer services – hxxp://tinyurl[.]com/4jnvfsns, hxxps://textbin[.]net/raw/oumciccl6b
- [MD5 hashes] sample hashes – 9437c89a5f9a51a4ff6d6076083fa6c9, 12b6229551fbb1dcb2823bc8b611300f, and 7 more hashes
- [Injected targets] legitimate Windows binaries used for injection – dialer.exe, rundll32.exe
Attackers placed malicious tracking templates within Google Ads so that clicks on seemingly legitimate groupware banners redirected users to cloned landing pages hosting fake installers. Those installers (commonly packaged with Inno Setup or NSIS and named like Notion_software_x64_.exe) execute locally, then query public text-sharing services (tinyurl, textbin) to retrieve URLs that point to attacker-controlled executables.
The retrieved URLs lead to direct payload downloads (examples: slashidot[.]org/@abcDP.exe, bookpool[.]org/@Base.exe). The Rhadamanthys infostealer is delivered and then injected into trusted %system32% binaries (dialer.exe, openwith.exe, dllhost.exe, rundll32.exe), allowing data theft and stealthy execution under legitimate processes. Indicators published include the delivery/redirect domains, tinyurl/textbin pointers, payload hosts, and multiple MD5 hashes of observed samples.
Mitigations include validating the actual landing URL after clicking ads (not the visible banner URL), blocking known IOC domains and payload hosts, monitoring for suspicious modifications or injections into %system32% executables, and using application allowlisting and endpoint detection to catch post-execution activity. For analysts, follow the listed IOcs and MD5s when hunting and prioritize detection for Process Injection and malicious inbound HTTPS downloads originating from shortener/text-host services.
Read more: https://asec.ahnlab.com/en/63477/