TechnologyTop Stories
PDF Converter: How your search for PDF converter and Notepad++ can be dangerous
Be careful if you search PDF converters or Notepad++ on Google. According to cyber security company MalwarebytesA malicious campaign has emerged that takes advantage of Google Ads to direct users searching for these popular software to dangerous landing pages and deliver next-stage payloads. The report claims that the malicious campaign is “unique in the way it fingerprints users and delivers time-sensitive payloads”. Another thing that differentiates this campaign from others is the method of downloading the payload.
How hackers work
The hacking campaign targets users looking for free versions of Notepad++ and PDF converters with fake ads on Google Search. These ads take users to a fake website after filtering out bots and unwanted IP addresses. “The first level of filtering occurs when a user clicks on one of these ads. This is likely an IP check that removes VPNs and other non-real IP addresses and replaces them with a fake site,” the report said. Shows.”
The victim is redirected to a fake website advertising the software, while the system silently fingerprints to determine whether the request is originating from the virtual machine. According to the report, potential targets are assigned a unique ID for tracking and to make each download unique and time-sensitive.
The final stage malware establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and serves follow-on malware via an HTA payload.
“Threat actors are successfully implementing evasion techniques that bypass ad validation checks and allow them to target certain types of victims,” said Jerome Segura, director of threat intelligence at Malwarebytes.
“With a reliable malware delivery chain in hand, malicious actors can focus on improving their fake pages and crafting custom malware payloads,” he said.
The report states that users who access the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (aka Eugenloader), which is designed to download additional malicious code. There is a loader.
How hackers work
The hacking campaign targets users looking for free versions of Notepad++ and PDF converters with fake ads on Google Search. These ads take users to a fake website after filtering out bots and unwanted IP addresses. “The first level of filtering occurs when a user clicks on one of these ads. This is likely an IP check that removes VPNs and other non-real IP addresses and replaces them with a fake site,” the report said. Shows.”
The victim is redirected to a fake website advertising the software, while the system silently fingerprints to determine whether the request is originating from the virtual machine. According to the report, potential targets are assigned a unique ID for tracking and to make each download unique and time-sensitive.
The final stage malware establishes a connection to a remote domain (“mybigeye[.]icu”) on a custom port and serves follow-on malware via an HTA payload.
“Threat actors are successfully implementing evasion techniques that bypass ad validation checks and allow them to target certain types of victims,” said Jerome Segura, director of threat intelligence at Malwarebytes.
“With a reliable malware delivery chain in hand, malicious actors can focus on improving their fake pages and crafting custom malware payloads,” he said.
The report states that users who access the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (aka Eugenloader), which is designed to download additional malicious code. There is a loader.
#PDF #Converter #search #PDF #converter #Notepad #dangerous
