Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Malicious Notepad++ Google ads evade detection for months

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 02-01-2025, 06:24 AM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default

A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis.
Threat actors have been increasingly abusing Google Ads in malvertising campaigns to promote fake software websites that distribute malware.
According to Malwarebytes, which spotted the Notepad++ malvertising campaign, it has been live for several months but managed to fly under the radar all this time.
The final payload delivered to victims is unknown, but Malwarebytes says it's most likely Cobalt Strike, which usually precedes highly damaging ransomware deployments.
Abusing Google ads
The Notepad++ malvertizing campaign promotes URLs that are obviously unrelated to the software project yet use misleading titles displayed in Google Search result advertisements.

Malicious promoted search results for Notepad++
This SEO strategy is heavily abused in this case, and since titles are far larger and more visible than URLs, many people are likely to fall for the trap.
Once victims click on any of the ads, a redirection step checks their IP to filter out users likely to be crawlers, VPNs, bots, etc., leading them to a decoy site that does not drop anything malicious.

Site where non-qualifying clicks land
In contrast, legitimate targets are redirected to "notepadxtreme[.]com" which mimics the real Notepad++ site, featuring download links for various versions of the text editor.

The malicious website that drops the payload
When visitors click on those links, a second system fingerprint check is performed by a JavaScript snippet to validate that there are no anomalies or indications that the visitor is using a sandbox.
Victims who are marked as suitable targets are then served an HTA script, which is assigned a unique ID, likely to enable the attackers to track their infections. That payload is served only once per victim, so a second visit results in a 404 error.
Malwarebytes' examination of the HTA didn't produce any useful information due to it not being weaponized at the time, but the analysts found the same file in a VirusTotal upload from July.

The payload having no detections on VT
That file attempted to connect to a remote domain on a custom port, with the researchers believing it was likely part of a Cobalt Strike deployment.

The observed attack chain
To avoid downloading malware when looking for specific software tools, skip promoted results on Google Search and double-check that you have landed on the official domain.
If unsure about the project's real website, check its "About" page, documentation, Wikipedia page, and official social media channels.
https://www.bleepingcomputer.com/new...on-for-months/
 

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 09:54 AM.

Contact Us - Carder.life - Archive - Top