Threat actors misuse Google’s ad platform to push masquerAd sites that redirect users to phishing and malware pages, leveraging trusted ad traffic to gain credibility. Vermux leads mass campaigns targeting GPU users, distributing varying payloads via masquerAd flows and hosting infrastructure across Russia and popular file-sharing sites to evade defenses.
#Vermux #masquerAds #Grammarly #Afterburner
#Vermux #masquerAds #Grammarly #Afterburner
Keypoints
- MasquerAd flows abuse Google Ads to promote deceptive sites that divert ad-clickers to malicious payloads.
- Vermux is the threat actor behind these campaigns, deploying hundreds of masquerAds domains and targeting US GPU users from Russia.
- The campaigns lure victims with credible brands and software names (Grammarly, Afterburner, Blender, Visual Studio, Zoom, Slack, Dashlane) to improve success.
- Infected installers bundle malicious payloads with legitimate software (e.g., Grammarly) and use oversized, bloated files to hinder automated analysis.
- Payloads are varied and frequently changed (Raccoon, Vidar, crypto miners) to thwart detection and rely on dynamic execution.
- Threat actors rely on reputable hosting/file-sharing services (GitHub, Dropbox, OneDrive, Discord CDN) to distribute malware and disguise flows.
- IOCs include masquerAd domains and URLs, malicious file names, and GitHub/gist references cited in the investigation.
MITRE Techniques
- [T1036] Masquerading – The actors present malicious sites as legitimate brands within a trusted Google Ads flow, e.g. “masquerAd-ing their malicious sites in the Google Ads flow.”
- [T1566.002] Phishing: Spearphishing Link – The promoted search result leads to a malicious Grammarly phishing page under gramm-arly[.]com, illustrating targeted link-based deception.
- [T1189] Drive-by Compromise – Rogue sites are promoted and traffic redirected to the malicious payload via server-side redirects, hidden from Google and visitors.
- [T1105] Ingress Tool Transfer – Vermux payloads are hosted on third-party services (GitHub, Dropbox, OneDrive, etc.) to deliver malware.
- [T1027] Obfuscated/Compressed Files – The installation packages are bloated with zeroed files and encoded to evade automated analysis, with dynamic execution used to reveal malicious behavior.
Indicators of Compromise
- [Domain] afterbern.live – masquerAd domain used in campaigns to serve disguised sites.
- [Domain] grammalry.org – domain used in masquerAd flow for Grammarly-related deception.
- [Domain] gramm-arly.com – domain used as the malicious Grammarly landing page.
- [Domain] grammartly.org – domain referenced for Grammarly-related installers.
- [File] Grammarly.exe – malware installer downloaded from grammartly.org in masquerAd flows.
- [File] 18.exe – malicious installer referenced in bundled malware campaigns.
- [Hash] 3baf692a1589355af206f4e3886a09fe8997f0b62c78c1403556285eaba40e94 – VirusTotal detection reference for a related sample.
- [URL] https://gist.github.com/guardiolabs/2178c54367d20b0655b5cc5e9d297760 – Miscellaneous active domains and samples during 11–12/2022.
- [URL] https://gist.github.com/guardiolabs/7f46d1adda8b0c08e76f23d9fab27fe9 – Vermux-specific operation during 11–12/2022.
- [URL] https://www.virustotal.com/gui/file/3baf692a1589355af206f4e3886a09fe8997f0b62c78c1403556285eaba40e94/detection – VirusTotal analysis for a sample referenced in the report.