Threat Research

Malicious Google Ad –> Fake Notepad++ Page –> Aurora Stealer malware

Securonix

Attackers use Google ads to lure users to fake Notepad++ download pages that install Aurora Stealer. The article traces the infection chain from the ad-driven page to the downloaded malware and its post-infection C2 traffic, and lists the associated IOCs.

Keypoints

  • The attack vector relies on Google ads leading to fake Notepad++ pages that link to malware.
  • Fake pages imitate legitimate software sites and direct users to download malicious installers.
  • The downloader URL chain redirects to a malware host at a spoofed site (obsqroject.com) hosting an installer for Aurora Stealer.
  • Post-infection traffic goes to a remote server (79.137.133.225) on port 8081, with plain text commands and base64-encoded payloads.
  • The malware is identified as Aurora Stealer, with patterns matching prior Aurora campaigns.
  • Microsoft Defender may flag the EXE, but users often click through warnings to run the file.
  • Best defense is avoiding ad-based downloads and following security best practices when seeking free software.

MITRE Techniques

  • [T1189] Drive-by Compromise – The article describes Google ads delivering users to fake download pages that host malware. ‘Google ads are a common vector for malware distribution… marked “Ad” or “Sponsored,” then check the link to see if anything is unusual.’
  • [T1204.002] User Execution – The downloaded malware required user action to run it. ‘The downloaded malware was detected by Microsoft Defender as an unrecognized app, so I had some extra clicks to run it.’
  • [T1105] Ingress Tool Transfer – The malware file was retrieved via a redirect from the initial page to a second URL hosting the installer. ‘The URL to download malware was notopod-plos-plus[.]com/bsdf/file.php which redirected to another URL hosting the malware.’
  • [T1027] Obfuscated/Compressed Files and Information – Post-infection data includes Base64-encoded content sent to the C2. ‘Data sent by the infected Windows host to the server looks like Base64 text.’
  • [T1071.001] Application Layer Protocol: Web Protocols – Post-infection C2 traffic observed over TCP to a remote host (tcp://79.137.133[.]225:8081) with plain text exchanges. ‘Post-infection traffic consists of plain text… Text sent by the server to the infected Windows host was WORK and Accept and Thanks.’

Indicators of Compromise

  • [Domain] notopod-plos-plus.com – fake Notepad++ download site used in Google ads
  • [Domain] obsqroject.com – malware host impersonating a legitimate site (obsproject.com)
  • [Domain] www.googleadservices.com – Google ad distribution domain
  • [URL] hxxps://notopod-plos-plus[.]com/bsdf/file.php – malware download page
  • [URL] hxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe – downloaded Aurora Stealer installer
  • [IP] 79.137.133.225 – C2 server for post-infection traffic

Read more: https://isc.sans.edu/diary/rss/29448