Keypoints
- Attackers used Google Ads tracking templates to redirect ad clicks to malicious landing pages while showing legitimate final URLs to users.
- Malicious installers were named to mimic popular collaboration apps (e.g., Notion_software_x64_.exe, Slack_software_x64_.exe) and were packaged with Inno Setup or NSIS.
- After execution, the installer contacts text-hosting/URL-shortener services (tinyurl, textbin) to retrieve the actual payload download URL.
- Confirmed payload URLs host Rhadamanthys infostealer binaries which, when run, are injected into normal Windows executables in %system32% (e.g., rundll32.exe, dllhost.exe).
- Transit and final redirect examples include googleadservices pagead links, pantovawy.page.link, cerisico[.]net, and notione.my-apk[.]com as the fake landing site.
- ASEC published MD5 hashes and multiple IOC URLs (tinyurl/textbin and direct .exe hosts) and classified the behavior as injection-based (MDP.Event.M10231).
MITRE Techniques
- [T1189] Drive-by Compromise β Use of advertising redirects to silently send users to malicious landing pages (βThe attacker used the tracking function of Google advertisements to make it appear to users that they were accessing a normal site.β).
- [T1036] Masquerading β Naming and packaging installers to impersonate legitimate collaboration tools to deceive users (βmalware disguised as a groupware installation program used by many people, such as Notion and Slack, was distributed.β).
- [T1204.002] User Execution: Malicious File β Reliance on users downloading and executing installers built with Inno Setup or NSIS (βThis type of malware is mainly distributed in the form of Inno Setup installer or NSIS β¦β).
- [T1105] Ingress Tool Transfer β Retrieving payloads from URLs returned by text-hosting and URL-shortening services (tinyurl, textbin) (βThe executed malicious code accesses the address of the malicious payload using a website that can store text, such as textbin or tinyurl.β).
- [T1055] Process Injection β Injecting and running the Rhadamanthys payload inside legitimate Windows binaries in %system32% (βthe malware is injected and executed into a normal Windows file located in the %system32% path.β).
Indicators of Compromise
- [File name] Fake installer names used to trick users β Notion_software_x64_.exe, Slack_software_x64_.exe
- [URL] Transit/fake landing pages β hxxps://pantovawy.page[.]link/jdF1/?url=β¦, hxxps://notione.my-apk[.]com (final malicious page)
- [URL] Payload hosting/redirects β hxxp://tinyurl[.]com/4jnvfsns, hxxps://textbin[.]net/raw/oumciccl6b, and other shorteners
- [URL] Direct payload executables β hxxps://slashidot[.]org/@abcDP.exe, hxxps://yogapets[.]xyz/@abcmse1.exe (and other .exe hosts)
- [Hash] Sample MD5 hashes observed β 9437c89a5f9a51a4ff6d6076083fa6c9, 12b6229551fbb1dcb2823bc8b611300f, and 8 more hashes
- [Targeted binaries] Windows system executables used for injection β dialer.exe, rundll32.exe (also openwith.exe, dllhost.exe)
The attack flow starts with a paid search advertisement that displays a legitimate final URL but routes clicks through a tracking template/redirect chain controlled by the attacker; examples include Google Ads transit links and intermediate redirectors (e.g., pantovawy.page.link, cerisico[.]net) leading to a fake app page (notione.my-apk[.]com). Clicking the ad causes the browser to be taken to a landing page mimicking a real collaboration tool and prompts users to download an installer named to resemble Notion/Slack/Trello/GoodNotes.
Those installers are packaged with Inno Setup or NSIS and, once executed, query text-hosting or URL-shortener endpoints (e.g., tinyurl, textbin) to obtain the real payload download URL. The returned payload URLs point to attacker-controlled hosts that serve Rhadamanthys infostealer binaries (examples: slashidot[.]org/@abcDP.exe, yogapets[.]xyz/@abcmse1.exe), which are then downloaded and executed.
On execution, the Rhadamanthys binary performs process injection into legitimate Windows executables in the %system32% folder (confirmed targets: dialer.exe, openwith.exe, dllhost.exe, rundll32.exe), allowing the malicious code to run under trusted processes and steal information while avoiding casual detection. Defenders should validate the actual destination URLs behind ads and block or investigate the listed IOC URLs, payload hosts, and MD5 hashes.
Read more: https://asec.ahnlab.com/ko/62864/