Cybercriminals are exploiting Google Ads to distribute malware disguised as a genuine Google Chrome installer, tricking users into downloading the malware.

Threat actors are always innovative, and this recent attack underlines exactly why you need to be on your guard when online. Attackers have been purchasing ads which appear when PC users search for popular software downloads e.g. Google Chrome. Unfortunately, the ads which are served up lead to dangerous websites which closely resemble official download pages. This deception tricks users into downloading and installing malware.

As we spend a high proportion of our work time online, we’re going to dig deep into this attack to see what we can learn.

How Can Google Ads Compromise Your PC?

In this attack, users searching with terms such as “download Google Chrome” might find themselves confronted with a sponsored ad at the top of their search results. This ad can, at first, appear genuine, often having a URL which includes “sites.google.com” – a Google platform used to build free websites. Accordingly, users feel confident that these pages are official and trustworthy, especially when they look very similar to official download sites.

Once a user clicks the ad, they’re redirected to a malicious page which is a highly convincing imitation of the official Google Chrome download site. This page urges users to download a file named “GoogleChrome.exe” and, so far, everything appears as you would expect. With nothing unusual to suspect, users make the decision to trust the page, download the file, and then launch it.

However, once executed, the installer begins to act suspiciously. Firstly, it connects to a remote server to retrieve additional instructions. Secondly, it requests that they user grants it administrative privileges to assist in completing the download. At this point, alarm bells should start ringing, but most users still feel as though the software can be trusted. Once administrative privileges are granted, the installer executes a PowerShell command which prevents Windows Defender from scanning the malware’s location, enabling it to operate quietly in the background.

A further file is then downloaded to the BackupWin directory and, masquerading under the name of a genuine piece of software, opens up a communication channel with the threat actors’ remote server. The malware used is SecTopRAT, a Remote Access Trojan which allows the attackers to take remote control of the infected system and steal sensitive data such as capturing keystrokes, accessing files, and recording user activities.

Protecting Against the SecTopRAT Threat

Your employees are busy with their daily tasks and, therefore, it’s easy for them to have a lapse of judgement and quickly click on something they believe to be genuine. However, this can be disastrous for your IT infrastructure, so it’s crucial that your staff are mindful of the following:

  • Be Cautious of Sponsored Ads: Just because an ad is that the top of the search results, this doesn’t mean it can be trusted. This is why it’s important to always verify the authenticity of a URL before clicking it. Check for any unusual spellings or, to be fully safe, navigate directly to the official website for that software.
  • Only Download from Official Sources: The best approach is to always head straight to the developers website rather than trusting other online sources. Aside from sponsored ads, it’s critical that your team avoids downloading via links in emails or through torrent sites – both of these sources often lead to nothing but malware.
  • Keep Your Security Software Updates: One of the simplest ways to thwart attackers is to make sure your security software is up to date. This software regularly scans your system for threats, but it needs to be updated as soon as possible to detect the latest threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Thanks to the presence of a previously unknown Windows backdoor, the MadMXShell malware has created digital chaos through the use of Google Ads

Google Ads are a common sight for anyone stepping foot online, and they’re a sure-fire way to guarantee clicks for those behind the advertising campaigns. Naturally, this makes of great interest to threat actors, as not only is malvertising a useful tool for hacking, but it’s also an easy way to lead people to malicious websites. MadMXShell appears to be a complex piece of malware, comprising several attack methods and tools, so it’s crucial that your organization is on guard against it.

How MadMXShell Serves Up its Malware

The threat actor responsible for MadMXShell is yet to be identified, but the effort invested in the attack demonstrates they’re highly skilled. Having created several domains in the IP scanner niche – with similar sounding names to official sites (a technique known as typosquatting) – the threat actor took advantage of the Google Ads algorithm to push them to the top of the search engine results. This was achieved by targeting keywords – words/phrases entered into search engines by those searching for specific content – and ensuring that their click rate was maximized.

Once lured to these malicious websites, it appears that visitors are encouraged to download IP scanner software. But, as you’ve already worked out, there is no IP scanner software to download. Instead, MadMXShell is downloaded and executed. With its strategy made up of a multi-targeted attack, MadMXShell sets to work harvesting data from infected systems. It does this by communicating with command-and-control servers and evades detection by injecting altered code into seemingly legitimate processes.

Curiously, as the entire campaign centers around IP scanning software, it would appear the main target of MadMxShell are IT professionals. Despite being a tough crowd to deceive, MadMXShell has already managed to gain plenty of victims, and underlines the ease with which even professionals can be taken in by malware.

Keeping the Threat of MadMxShell at Bay

It may sound as though MadMxShell is impossible to protect yourself against, especially if IT experts are struggling to defend against its threat. However, by taking the time to consider the validity of content you see online, you can significantly reduce the risk of falling victim to MadMxShell or similar attacks. The most important factors to consider are:

  • Always Verify Sources: before clicking on an online advert, always verify its source. If you’re unfamiliar with a website name then try performing a Google search against it, as this may flag it up as a malicious website. Remember, many attacks will use typosquatting, so it’s important that URLs are double checked e.g. usa.visa.com is official, but usa.v1sa.com is an attempt to fake the official website.
  • If It’s Too Good to Be True: online adverts which are offering unlikely and unrealistic rewards should always be scrutinized closely. While they may not necessarily link you to malicious websites, it’s more than likely that some form of scam/deception is the most likely end point.
  • Use an Adblocker: pop-up adverts are both annoying and a potential security risk, so why not minimize these risks by installing an adblocker into your browser? Easy to operate, and available for free, these browser add-ons allow you to prevent pop-up adverts from being displayed on your screen. Popular adblockers include Adblock Plus, Privacy Badger, and Ghostery.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More


Search engines are the gateway to the internet, but there’s a very real chance they may just be serving up malware each time you use them.

We all use search engines on a daily basis – with Google being the most popular choice – and, to be honest, we probably take them for granted in terms of security. However, the FBI is now warning that search engine results may represent a significant threat to the security of your PC. As with most security threats, this new technique relies on deception; in this instance, the threat actors are harnessing the power of search engine advertisements.

Due to our reliance on search engines, it’s important we understand the nature of this latest threat. And, to help you protect your IT infrastructure, we’re going to take you through the basics of this attack.

Malware by Advertising

Whenever you put a search request into, for example, Google, you will receive a long list of search results. The higher a result is, the more clicks it’s likely to get from people searching for that term. Search engines understand the importance of ranking high in their results and, therefore, they make it possible for people to pay to advertise at the very top of the search results. These advertisements look almost identical to the organic search results, with only a small “Ad” tag next to them. Accordingly, these can easily be mistaken for organic search results.

Despite many of these advertisements being legitimate, and merely paying to skip to the top of the search results page, the FBI has discovered many of these advertisements are linked to malware. Threat actors are purchasing advertising space which appears to be for genuine companies, such as finance platforms, and using very similar URLs to tempt people into clicking their link. However, these links are simply a way to redirect people to sites looking to distribute malware. Worse still, the advertisements used will often display a URL to a genuine site, but redirect you to an altogether different site.

Stay Safe from Fake Ads

The last thing you want to do is fall victim to a fake ad, after all you may simply be searching for somewhere to go and have lunch. Therefore, it pays to stay safe and know how to protect yourself from fake search engine ads. You can do this by practicing the following:

  • Check that top result: remember, it’s important you know what you’re clicking on, so make sure you double check any results at the top of Google. While, for example, it may look like a search result for Bank of America, the actual URL within the result may be slightly different e.g bank0famerica.com. And, if you click on it, you could quickly find yourself on a malicious site.
  • Block Google ads: it’s possible to block Google ads from appearing in the search engine results page, all you have to do is install an ad-blocker such as Blockzilla. These apps filter incoming web pages – including search engines – and ensure any intrusive ads or promoted posts are blocked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More