Search This Blog

Powered by Blogger.

Blog Archive

Labels

IcedID Botnet Distributors Abuse Google PPC to Disseminate Malware

The IcedID-modified MSI or installer files are almost identical to the legitimate version.

 

To improve traffic and sales, businesses utilize Google Ads to deliver adverts to specific target populations. The IcedID botnet distributors have been using SEO poisoning, since the beginning of December to entice search engine users to visit phoney websites that result in the download of malware.
In order to display malicious ads above the organic search results, attackers are choosing and ranking keywords used by well-known businesses and applications in Google pay-per-click (PPC) ads.
  • Attackers are abusing terms used by organizations including Adobe, AnyDesk, Brave Browser, Chase Bank, Discord, Fortinet, GoTo, Teamviewer, Thunderbird, the US Internal Revenue Service (IRS), and others, according to Trend Micro researchers.
  • Attackers employ the official Keitaro Traffic Direction System (TDS) to duplicate the websites of reputable companies and well-known applications in order to filter researcher and sandbox traffic and direct potential victims there.
  • A malicious Microsoft Software Installer (MSI) or Windows Installer file will be downloaded onto the user's computer if they click the Download button.
  • The file serves as the bot's initial loader, obtaining the bot's core before releasing a backdoor payload.
 Escaping Detection:

IcedID operators have employed a number of strategies in malvertising attacks to make detection difficult. Libraries like tcl86.dll, sqlite3.dll, conEmuTh.x64.dll, and libcurl.dll, which are well-known and often used, are among the files updated to serve as IcedID loaders.

Since the genuine and modified versions of the MSI or installer files are so similar, machine learning detection engines and whitelisting systems have a difficult time identifying the modified versions.

In recent months, cybercriminals have utilised IcedID to establish persistence on the host, get initial access, and carry out other illegal activities. Attackers were seen utilising phishing emails in Italian or English in October to distribute IcedID through ISO files, archives, or document attachments that contained macros. The UAC-0098 group was observed in September using IcedID and Cobalt Strike payloads to target Ukrainian NGOs and organisations in Italy.

IcedID was being used by Raspberry Robin worm infestations in the same month. Recently, a wide range of distribution techniques has been used by the threat actors behind IcedID, as is to be expected as they test which tactics are most effective against certain targets. Users should be on the lookout for fraud or phishing websites and be cautious while downloading from websites.
Share it:

Botnet

Data Safety Security

ICedID

Malvertising

malware

Windows