Threat actors used Malicious Google Ads to capture the millions of users abandoning WhatsApp for Signal and Telegram in early 2021
eSentire, the leading global provider of Managed Detection and Response (MDR) services, had previously tracked two malicious campaigns (titled Gootloader and SolarMarker) that targeted business professionals using Google Search throughout 2021, and now eSentire researchers have identified a third campaign that is employing RedLine Stealer, an info-stealer. According to eSentire’s security research team, the Threat Response Unit (TRU), this latest campaign relies on the use of malicious Google Ads and web pages that replicate the legitimate download page for secure chat applications, such as Signal (Image 5). Using the fake Signal page, this malicious campaign’s objective is to socially engineer victims into downloading and executing Redline Stealer. Stolen information can be sold on the dark web or directly used in further intrusions and fraud campaigns. Similar malicious Google ad campaigns have recently been observed using AnyDesk, DropBox and Telegram as lures.
In January 2021, following an unfavorable update to its Terms of Service, users abandoned WhatsApp for alternatives; those users primarily migrated to Signal and Telegram (See image 1), according to analysts. In an article in the London Guardian, during the first three weeks of January, Signal gained 7.5 million users globally, according to figures shared by the UK parliament’s home affairs committee, and Telegram gained 25 million in the UK. Shortly after, cybercriminals leveraged Signal and Telegram’s resulting market gains to deploy malicious Google Ads. (See Image 2, 3, 4). For example, when the victim clicks on the malicious ad for Signal the computer user is taken to an exact replica of Signal’s download page (See Image 5). Using both endpoint and log data, the TRU observed contact with these ad domains preceding the installation and execution of RedLine Stealer (Image 7-10). In the case of Telegram (Images 9-10), the file name was no more descriptive than “SETUP”, but soon after the incident, the user downloaded a legitimate version of Telegram, supporting the hypothesis that the user was looking for a version of Telegram to download.
Evidence that the fake, ad-based Signal page is malicious is as follows: Most of the links do not work on the fake Signal page but do on the real Signal page. Secondly, the download button on the fake page (the one button that works) depends on an unknown php script controlled on the server side; the fake Signal page delivered an outdated version of Signal when TRU attempted the download, potentially a result of the server detecting the security tools used (Box 1). Thirdly, the top-level domains for the fake Signal download page are not standard top-level domains. Finally, all the suspicious ads share hosting provider, NameCheap. An analysis of registration and hosting parameters across a sample of suspicious sites of the “same structure” (as defined by Urlscan) demonstrates the potential for multiple malvertising campaigns (Figure 11).
The threat group behind this campaign likely created this fake Signal page to further convince the victim that they are visiting Signal’s actual website. Instead of receiving the installer, they are served AutoIT scripts (a Windows program used to automate different functions) which then deploys RedLine Stealer.
The TRU observed four cyber incidents at two different organizations from late March to early April. One company is in the legal profession, while the other is in the real estate industry. Interestingly, when a TRU researcher clicked on the malicious Web Ads and attempted to download the Signal installer, the researcher was served an older version (1.40.1) of Signal and Signal’s icon, through a suspicious PHP script, from the legitimate Signal website (signal.org). TRU’s hypothesis is that they were not served RedLine because the threat actors’ infrastructure can detect visitors coming from Virtual Machines, as opposed to an actual computer. One potential indicator that the Google ad is part of this campaign is that the malicious Google ads often contain suspicious looking top-level domains (TLDs) such as .digital, .link, .store and .club, but include the name of the targeted chat app in their domain (e.g. desktop-signal.store).
The threat actors who launched these malicious campaignswould have had to spend money purchasing Google ads. The cost of these ads depend on many variables, including the popularity of the keyword (e.g. Signal, Telegram, Viber) and the willingness of other advertisers to pay for that keyword in their ads. Although we do not know the total amount the cybercriminals spent on the Google ads, we do know that purchasing the keyword “Telegram” can run .40 USD per click, while the keyword “Signal” can cost up to $1.40 USD per click. It is possible that financing for these ad purchases were themselves sourced by earnings from previous malicious campaigns.
These latest incidents are a further example of how drive-by- downloads are becoming a popular attack vector in 2021. Threat actors are developing their capability around hijacking computer users as they conduct business via Google Search. In the past six months, we have seen three different campaigns involving threat actors targeting unsuspecting computer users and business professionals with malicious Google Search results. Besides the RedLine campaign mentioned here, campaigns include the SolarMarker threat, where business professionals were being lured to hacker-controlled websites, hosted on Google Sites, in search of free templates for business forms, such as invoices, questionnaires and receipts. More recently, the TRU observed a campaign leveraging Gootloader, which tried to infect business professionals by enticing them to web pages which purportedly hosted examples of different business agreements.
About RedLine Stealer Malware
According to research firm Proofpoint, the RedLine Stealer malware first appeared on Russian Underground markets in March 2020. Proofpoint reported that the malware was being offered for sale with several pricing options including a lite version for $150, $200 for the pro version, or a $100 monthly subscription option. RedLine steals login credentials from Internet browsers, passwords and credit card data. It has also been reported that it is able to steal cryptocurrency cold wallets. Redline also pulls information about the computer user, their device including the username, their location, hardware configuration and installed security software.
Key Takeaways:
Comments from Spence Hutchinson, Manager of Threat Intelligence for eSentire
“Threat actors continue to spend time and money to capture and infect as many victims as possible. They are spending money to purchase Google ads (although they could be using stolen credit cards to purchase the ad space), and they have spent time creating believable ads and almost exact replicas of the download pages for some of the most popular secure chat applications, e.g., Signal, Telegram, Viber, etc. said Spence Hutchinson, Manager of Threat Intelligence for eSentire. This signals to our research team that:
- eSentire is seeing a continued trend of Google’s search results getting poisoned by Drive-by-Download campaigns in the wild
- Drive-By- Download campaigns are becoming a more popular threat vector for cybercriminals. It used to be that malspam was the favored tactic. However, the drive-by-download tactic seems to be gaining ground
- o Threat actors have recently had success using various business resources (e.g., offering sample business agreements, sample business forms and ways to download secure chat applications) as lures.
- Corporate internal security teams and external security teams need to make sure employees are very aware of the different tactics threat actors are using to lure them to malicious web pages, malicious ads and malicious documents.
- Users should inspect the domains of results in Google Search and check that they trust the address they’re about to visit, especially if they are looking for something to download.
- The bottom line is employees always need to be wary of free things on the Internet whether it something as dubious as cracking software or something as seemingly benign as a business form template, an agreement or a free secure chat service. Every month, threat actors are finding new ways to intercept your business’ use of Google to find free things to download
Image 1: A jump in Google searches for Telegram and Signal following the news of WhatsApp’s change in terms of service.
Image 2. Suspicious ads resulting when the word “signal” is searched on
Image 3: Suspicious ads resulting when the word “Telegram” is searched
Image 4: Suspicious ads resulting when the word “Viber” is searched
Image 5: Malicious page (http://desktop-signal[.]digital/) masquerading as the legitimate Signal download page. Download references PHP script presumably used for filtering.
Image 6: As of April 21, http://desktop-signal[.]digital is marked as phishing by CloudFlare
Image 7: Via log data, Suspicious ad domain minutes before activation of Fake Signal.
Image 8: RedLine Stealer spawns from the alleged Signal download, titled SIGNAL-WIN-53973.EXE
Image 9: Suspicious ad domain minutes before activation of a Setup file
Image10: Setup file leading to RedLine Stealer behavior
Image 11: Registration and infrastructure properties of suspicious ads
For more information about this threat and how to protect against it go to https://www.esentire.com/get-started