Rewterz Threat Alert – Malvertising Campaign Delivers Trojanized PyCharm Software via Google Search Ads – Active IOCs

Severity

High

Analysis Summary

A new malvertising campaign has been recently brought to light by researchers that is utilizing a compromised website to promote malicious versions of PyCharm on Google search results using their Dynamic Search Ads.

“Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it,” the researchers said in a report. “Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead.”

The aforementioned compromised website is an unnamed online portal that offers services for wedding planning and has been injected with malware to deliver fake links to download the PyCharm software. Potential targets are directed to the website via Dynamic Search Ads, which is an ad service offered by Google that shows tailored ads using the website’s content based on the search terms.

A threat actor who is capable of changing the website’s content however they want can easily abuse ad campaigns as a malvertising tool and can deliver these ads to the users of Google Search effectively. This also makes the website owner a victim and an unintentional mediator who has to pay for their own malicious ads.

This campaign is targeting users all over the world, with a diverse DNS traffic noticed in Canada, Hong Kong, and Switzerland. It was thought to have been active since September 2023, but the researchers just now discovered that the domain names used in the campaign had been registered as early as June 2023.

Impact

• Unauthorized Access
• Information Theft

Indicators of Compromise

URL

• http://eplangocview.com/wp-download/File.7z
• http://roberthamilton.top/timeSync.exe
• http://109.107.182.2/race/bus50.exe
• http://171.22.28.226/download/Services.exe
• http://experiment.pw/setup294.exe
• http://medfioytrkdkcodlskeej.net/987123.exe
• http://171.22.28.226/download/WWW14_64.exe
• http://185.172.128.69/newumma.exe
• http://194.169.175.233/setup.exe
• http://171.22.28.221/files/Ads.exe
• http://171.22.28.213/3.exe
• http://lakuiksong.known.co.ke/netTimer.exe
• http://stim.graspalace.com/order/tuc19.exe
• http://neuralshit.net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7.exe
• http://pic.himanfast.com/order/tuc15.exe
• http://85.217.144.143/files/My2.exe
• http://galandskiyher5.com/downloads/toolspub1.exe
• http://gobr1on.top/build.exe
• http://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
• http://yip.su/RNWPd.exe
• http://potatogoose.com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c.exe
• http://185.216.71.26/download/k/KL.exe
• http://walkinglate.com/watchdog/watchdog.exe
• http://walkinglate.com/uninstall.exe

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Keep Systems Up to Date and Patch Regularly
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enforced Access Management Policies
• Prohibit password sharing
• Restrict installation of untrusted 3rd Party application
• Do not use the same password for multiple platforms, servers, or networks.