Quote:Researchers have tracked down the origins of several increasingly prevalent info-stealers – including Redline, Taurus, Tesla and Amadey – that threat actors are delivering via pay-per-click (PPC) ads in Google’s search results.
On Wednesday, breach prevention firm Morphisec posted an advisory in which it said that over the past month, it’s investigated the origins of paid ads that appear on the first page of search results and that lead to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images.
This isn’t the first time we’ve seen a fake version of AnyDesk, the popular remote desktop application, pushed via ads appearing in Google search results. Just a week ago, we saw rigged AnyDesk ads serving up a trojanized version of the program. That earlier campaign even bested AnyDesk’s own ad campaign on Google, ranking higher in its paid results.
This time around, the Google PPC ads targeted specific IP ranges in the U.S. and “probably some other countries,” researchers wrote. Non-targeted IPs are redirected to legitimate pages that download the correct applications.
The researchers investigated three attack chains that lead to Redline, Taurus and a new mini-Redline infostealer compromise. Two of the adversaries – the ones leveraging Taurus and mini-Redlineare – are using similar patterns, certificates, and command-and-control centers (C2s). The third uses Redline, while Morphisec plans to write up the Amadey campaign in a separate post.
Read more: Google PPC Ads Used to Deliver Infostealers | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
