• All Articles

Recent Malvertising scams spreading Unwanted-programs & Ransomware

By Anna

June 6, 2024

Search engines are powerful tools which assist end users worldwide in finding exactly the content that they are looking for in a matter of seconds! Advertisers also benefit from these platforms, displaying highly targeted Google Ads to promote their services to the eager end user. Because these ads are based on search results, they are bound to spark the end user’s attention, making it more likely for the Advertiser to get conversions - It’s a win-win situation! 

However, there is a dark side to Search engines’ popularity, wide reach and usage. And it is that not only legitimate Advertisers target online audiences with their ads, but also Malvertisers and Cybercriminals do, looking to deceive them into giving away their personal data with shocking ad security violations. In this article, we talk about 3 recent Malvertising scams stories about 3 different Malvertising groups that use Google Ads to spread dangerous Google Ads Malvertising scams such as Unwanted-programs and Ransomware. 

As a quick recap, here’s what these two Ad Security violations do:

Ransomware: How does Ransomware Malvertising work? This form of Malware holds the end user’s device captive while demanding a ransom. It restricts user access to the device either by encrypting files on the hard drive or locking down the system and displaying messages.

Unwanted-programs: How to get rid of Unwanted-programs? This violation consists of an executable file or mobile application typically disguised as a legitimate download bundle that once downloaded engages in behavior that negatively affects the user's browsing or computing experience. Some forms of Unwanted-programs can contain Adware, Browser Hijackers, Scareware and Spyware.

Keep reading to find out more about these 3 recent Malvertising scams, the real cost of Malvertising,  and to learn how to get rid of Malvertising quickly and safely! 

Recent Malvertising scams: Arc Browser’s Windows launch hijack with Unwanted-programs 

Lets get into the first 1 of the 3 recent Malvertising scams: A Google Ads Malvertising campaign targeted the launch of the Arc web browser for Windows, tricking unsuspecting end users into downloading Unwanted-programs in order to infect their devices with Malware. Arc is an innovative new web browser which was launched in July 2023 for macOS and received great reviews from tech experts and end users. Its launch on Windows was highly anticipated and, according to Bleeping Computer, Malvertisers prepared for it by setting up dangerous Google Ads Malvertising scams to lure end users looking to download the new browser. 

Like many other ad platforms, Google is susceptible to Malvertisers swapping legitimate URLs on ad campaigns with malicious ones post-launch, thus bypassing pre-launch ad security checks. An added problem to Google is that it allows bad actors to promote malicious search ads displaying legitimate URLs, which however, once clicked, redirect end users to wherever the Malvertiser wants them to go, generally a malicious landing page. In this case, end users are redirected to typo-squatted domains that visually resemble the genuine Arc browser site. This vulnerability has been abused to target big companies such as Amazon, Whales Market, WebEx, and even YouTube. Such is the cost of Malvertising, beyond a website blocked due to Malvertising.

Once the unassuming end user hits the Download button, a trojanized installer file downloads Malware into their device, enabling the bad actors behind the attack to control it from their undisclosed location, and ultimately being able to steal the end user’s private information for their own illegitimate means. 

Because the bogus site will still install the Arc browser as expected, as well as the malicious files quietly running in the background, it's unlikely for the end users to realize they have now become infected with Malware. This means that their personal information, which could include bank account credentials and even live locations, can become exposed for lengthy periods of time going completely unnoticed, giving Malvertisers plenty of time to run their exploits. Wondering how to get rid of Malvertising quickly and safely and how to get rid of Unwanted-programs? These methodologies described on these recent Malvertising scams can be blocked by using a Malvertising Prevention software such as AdSecure which runs pre and post-launch scans, making sure that your ad campaigns remain compliant and safe at all times. 

Malvertising Group uses corrupted Google ad campaigns to harvest end user data

According to The Hacker News, a Malvertiser group known as FIN7 has been using dangerous Google Ads Malvertising scams impersonating legitimate brands including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet in order to deliver MSIX installers. This Unwanted-programs attack culminates in the deployment of NetSupport RAT, which is a remote control and info stealer Malware designed to allow Malvertisers to send stolen data and also remotely access and control the compromised device.

This is how this recent Malvertising scam works: End users who visit these bogus sites via Google ads are shown a pop-up message. This message urges them to download a fake browser extension containing malicious NetSupport RAT script which grants the Malvertiser access to the end user’s device and allows them to both remotely control the device and gather sensitive system information. "The Malware, once installed, often registers commands in the task scheduler to maintain persistence, enabling continuous installation of new Malware even after removal," Broadcom-owned Symantec said.

FIN7’s Malvertising attempts are generally oriented towards data theft, which easily ends up in Ransomware attacks or them selling the data to untrustworthy third parties. How does Ransomware Malvertising work? The Malvertiser group’s attacks on the aforementioned recent Malvertising scam have the ability to bypass security mechanisms like Microsoft Defender SmartScreen, making them especially dangerous for Windows users!

The FIN7 group has been active since 2013 and is famous for breaching large firms with Ransomware campaigns, and for using custom Malware families such as BIRDWATCH, Carbanak and TERMITE. Although their most famous breach method is spear-phishing, in recent months the group has started using Malvertising techniques to initiate the attack chains. This once again means that it is more important than ever to use find out how to get rid of Unwanted-programs and acquire specialized Malvertising detection and removal software such as AdSecure.

Fake Putty and WinSCP ads riddled with Ransomware pose a threat to System Administrators

The last one of the 3 recent Malvertising scams; a Ransomware attack targets Windows System Administrators launching dangerous Google Ads Malvertising scams to promote phony download sites for Windows utilities Putty and WinSCP on Google and Bing. The compromised sites use typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. Because System Administrators commonly have higher privileges on a Windows network, they are obvious targets for Malvertisers looking to steal end user sensitive data and deploy Ransomware. 

The attack for this recent Malvertising scam itself is far from simple: The bogus sites on these Malvertiser campaigns include download links which, when clicked, will either redirect the end user to legitimate sites or download a ZIP archive from the Malvertiser’s servers based on whether they were referred by a search engine or another site in the campaign. The downloaded ZIP archives contain a Setup.exe executable, which is a renamed and legitimate executable for Python for Windows (pythonw.exe) , and a malicious python311.dll file.

When the pythonw.exe executable is launched, it then tries to launch a legitimate python311.dll file. However, the Malvertisers have previously replaced this DLL with a malicious version of the same. When an end user runs the Setup.exe, thinking it's installing PuTTY or WinSCP, it loads the malicious DLL, which extracts and executes an encrypted Python script. Then, the Sliver post-exploitation toolkit is installed to remotely drop further payloads which will be used by the Malvertisers to decrypt data and deploy a Ransomware attack. 

With this complicated methodology, the Malvertisers behind these recent Malvertising scams have managed to cover their tracks against most human-based compliance teams and detection systems. This is why, once again, it is paramount to look into a Real-Time Malvertising blocking solution that specifically detects illegitimate redirects such as the one mentioned above, thus avoiding end users being specifically targeted and redirected depending on the Malvertiser’s criteria. This is how to get rid of Malvertising quickly and safely.

Conclusions: How to get rid of Malvertising quickly and safely

Are you wondering, 'how to prevent Malvertising on my Ad Network?' or 'how to remove Malvertising from my website?' to prevent a website blocked due to Malvertising? As you can see, the cost of Malvertising can be quite high: Ransomware and Unwanted-programs can be quite haunting violations for the end user, and they can be easily spread as dangerous Google ads Malvertising scams! This highlights the importance of having both an accomplished professional Compliance Team and a Malvertiser detection and blocking tool which allows you to monitor the ad supply chains on your platform real-time, pre and post-launch.

This applies both to Ad Networks and website Publishers alike, since it is the responsibility of all to maintain the online world a safe and compliant one, granting a secure and pleasant browsing experience for the end users. Want to test out AdSecure’s software to keep your ads clean and your end users safe? Do you have any more questions on how does Ransomware Malvertising work? Get in touch with us to organize a meeting with our team, or why not sign up for a Free Trial now?

Share this article on