Phishing and spam emails are commonly used for malware distribution; however, it has become much harder for malware and malicious scripts to evade email filtering solutions, especially advanced email security solutions with sandboxing and AI and machine learning capabilities. Some threat actors have had greater success using Google Ads to drive traffic to sites hosting trojanized installers for popular software.

Google Ads allows advertisers to bid to place adverts at the top of the search engine listings for key search terms, giving the adverts the most prominent position on the page. While Google has controls in place to prevent malicious ads from appearing, a small number of threat actors successfully circumvent those controls. Some of the most effective uses of malicious Google Ads are for software solutions. If threat actors can direct users to a malicious site that resembles a legitimate software provider, the user is likely to download and run the installer and inadvertently infect their device with malware.

One such campaign was recently uncovered by security researchers at Malwarebytes. While they were unable to identify the final malicious payload, they believe the goal was to deliver an information stealer. An information stealer is a type of malware that runs in the background and gathers information about the system. Information stealers often target login information such as usernames and passwords and can capture keystrokes, take screenshots, search histories, cookies, steal from cryptocurrency wallets, and more.

In this campaign, the threat actors targeted search terms related to the Arc browser for Windows, a freeware web browser that was launched in July 2023 for MacOS. The web browser has many features that set it aside from other web browsers and it has received five-star reviews from reviewers and users since its launch in 2023. The highly anticipated Windows version was released on April 30, 2024, and the malvertising campaign was prepared ahead of the launch.

One potential problem with a campaign such as this is malvertisers need to direct traffic to their own website where the malicious installer is hosted. If you are looking to download Adobe Reader, for example, and the advert displays anything other than the Adobe.com domain, you would know not to click. With Google Ads, malvertisers can display the legitimate domain in the Ad and then redirect the user to their own domain when they click the ad.

In this campaign, like many other malvertising campaigns, the threat actor uses lookalike domains that closely resemble the legitimate domain – Arc[.]net, and the page looks exactly like the legitimate site that it spoofs. If the user clicks to download the installer and executes the file, it will install the Arc browser as well as a malicious script that downloads and executes the malware payload. The malware will then run silently in the background and the user will likely be unaware that anything untoward has happened.

Employees often look for software to allow them to work more efficiently and download software from the web. For businesses, malicious Google Ads are a serious threat and can easily lead to a costly malware infection and data breach. To protect against malware infections via the web, many businesses rely on antivirus software that scans for malware when it has been downloaded. The problem is these solutions are often signature-based and can only detect malware variants if they have the signatures in their malware definition lists. New variants are constantly being released that differ sufficiently to evade signature-based detection mechanisms.

In addition to antivirus software, businesses should consider implementing a web filter such as WebTitan. WebTitan is a DNS-based web filter with no latency, so there is no impact on page load and download speeds. The filter is fed threat intelligence from a network of 500 million end users and is constantly updated with the latest intelligence and will block attempts to visit known malicious sites. If a user attempts to visit a known malicious URL, the attempt will be blocked before a connection is made. WebTitan can also be configured to block certain file downloads from the web, such as executable files. This will stop malware from being installed and will also help to curb shadow IT. WebTitan can also be configured to block third-party adverts on websites to combat malvertising.

In addition to these software solutions, businesses should provide security awareness training to the workforce to explain the risks of malware, teach security best practices, and eradicate risky behaviors. This is another area where TitanHQ can help. TitanHQ has a comprehensive security awareness training platform – SafeTitan – which is the only behavior-driven security awareness solution that delivers security training in real-time in response to security errors by employees. SafeTitan is an effective way of modifying user behavior and building a human firewall of users.

To find out more about web filtering with WebTitan and security awareness training with SafeTitan, give the TitanHQ team a call. Both solutions are also available on a free trial to allow you to test them out before making a purchase decision.

Jennifer Marsh

With a background in software engineering, Jennifer Marsh has a passion for hacking and researching the latest cybersecurity trends. Jennifer has contributed to TechCrunch, Microsoft, IBM, Adobe, CloudLinux, and IBM. When Jennifer is not programming for her latest personal development project or researching the latest cybersecurity trends, she spends time fostering Corgis.