Until further notice, think twice before using Google to download software

Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries.

“Threat researchers are used to seeing a moderate flow of malvertising via Google Ads,” volunteers at Spamhaus wrote on Thursday. “However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not ‘the norm.’”

One of many new threats: MalVirt

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices.

The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap. Sentinel One researcher Tom Hegel wrote:

As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods—most recently, malvertising. The MalVirt loaders we observed demonstrate just how much effort threat actors are investing in evading detection and thwarting analysis.

Malware of the Formbook family is a highly capable infostealer that is deployed through the application of a significant amount of anti-analysis and anti-detection techniques by the MalVirt loaders. Traditionally distributed as an attachment to phishing emails, we assess that threat actors distributing this malware are likely joining the malvertising trend.

Given the massive size of the audience threat actors can reach through malvertising, we expect malware to continue being distributed using this method.

Google representatives declined an interview. Instead, they provided the following statement:

Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.

Anecdotal evidence that Google malvertising is out of control isn’t hard to come by. Searches seeking software downloads are probably the most likely to turn up malvertising. Take, for instance, the results Google returned for a search Thursday looking for “visual studio download”:

Clicking that Google-sponsored link redirected me to downloadstudio[.]net, which is flagged by VirusTotal as malicious by only a single endpoint provider:

On Thursday evening, the download this site offered was detected as malicious by 43 antimalware engines:

The download is malicious:

Searching Google for the Tor anonymity browser didn’t fare any better. Clicking on the Google Ad returned for “Tor download” directed to the domain torprojects[.]pw.

The IP address that was hosting the site, 208.91.197[.]91, was flagged by five separate engines:

Searches for other software, including Thunderbird, MSI Afterburner, and Audacity, returned similar badness.

Thunderbird malvert.

Thunderbird malvert.

VirusTotal results for the fake Thunderbird download.

VirusTotal results for the fake Thunderbird download.

MSI Afterburner malvert.

MSI Afterburner malvert.

VirusTotal results for the fake Thunderbird download.

MSI Afterburner malvert.

The site that the malvert loads.

The real MSI Afterburner page looks almost identical.

VirusTotal results for the MSI Afterburner download page.

VirusTotal results for the domain hosting the fake MSI Afterburner download.

One of the IP addresses hosting a malicious domain.

Audacity malvert.

It’s clear that despite all the progress Google has made filtering malicious sites out of returned ads and search results over the past couple decades, criminals have found ways to strike back. These criminals excel at finding the latest techniques to counter the filtering. As soon as Google devises a way to block them, the criminals figure out new ways to circumvent those protections.

One example is documented here by Sentinel One’s Hegel:

Formbook and XLoader disguise real C2 traffic among smokescreen HTTP requests with encoded and encrypted content to multiple domains, randomly selected from an embedded list. Only one of the domains is the real C2 server and the rest are decoys. A sample we analyzed issued HTTP GET and/or POST requests with encoded and encrypted HTTP data to 17 domains (16 endpoints) listed in the IOC table below. Previous research provides detailed information on how XLoader in particular implements this technique.

The technique of camouflaging the true C2 domain through beaconing to multiple domains remains consistent with the previously noted research. The malware beacons to domains containing legitimate and/or unused registered domains. As shown in the following image, as a snapshot of some domains the malware contacts, there is a wide variety of domain times, hosting providers, and age between their relevant registration date.

Credit: Sentinel One

Until Google devises new defenses, the decoy domains and other obfuscation techniques remain an effective way to conceal the true control servers used in the rampant MalVirt and other malvertising campaigns. The malware MalVirt pushes is equally elusive to detection. The payload uses the NtQueryInformationProcess and NtQuerySystemInformation functions to detect the presence of user- and kernel-land debuggers.

A plea to Google

It’s clear at the moment that malvertisers have gained the upper hand over Google’s considerable might. Spamhaus researchers wrote:

The Spamhaus Project’s domain expert, Carel Bitter, questioned why Google Ads approved adverts linking to new domains. Throughout the security industry, the immediate use of newly registered domains is associated with high-risk activity. If you take a look at the WHOIS data for one of the Nvidia lookalike domains, it was created less than a week ago:

Carel acknowledges that he’s an expert on domains, not Google Ads security—we’d love to hear from you if you have detailed knowledge in this area and can help us understand why Google is allowing the use of recently registered domains.

In the meantime, we hope Google Ads can rapidly quash this wave of malicious behavior across their platform.

Until Google regains its footing, people should be extremely cautious when searching Google, and likely other search sites, particularly for software downloads.