Project Hyphae

Google Ads Littered With New Malware Strain

Share This Post

Researchers from Cyble recently revealed analyses of a new malware strain known as “Rhadamanthys Stealer,” that is being sold through the Dark Web under a Malware-as-a-Service model. This malware strain is designed to steal sensitive information from the victim’s machine. New malware showing up for sale isn’t necessarily news, but one of the two observed methods of propagation observed by the threat actors behind Rhadamanthys is.

The first method is traditional phishing and spam emails that deliver the malware as a malicious attachment. The other method is a set of highly convincing phishing webpages impersonating legitimate websites to trick users into downloading the malware along with what looks like a real version of the software they are presumably searching Google for. The links to these malicious sites have spread through Google Ads, leading to randomized victims. Some (but certainly not all) of the domains involved in this scam are:

Indicators of Compromise that have been identified include the following:

SHA-256 HashDescription
046981c818bd26e7c28b12b998847038e6b64c44df6645438dae689d75fb0269Spam email
4f4b5407d607ee32e00477a9f4294600ca86b67729ff4053b95744433117fccfSpam email
4a55c833abf08ecfe4fb3a7f40d34ae5aec5850bc2d79f977c8ee5e8a6f450d4PDF attachment (Statement.pdf)
db66fc58c07ba0ccbe1b9c2db770179d0d931e5bf73838da9c915581661d4c1aRuntime Broker.exe
fe99a49596fc6f841b7605021da6fce7f6c817d5247d880227f790388a7cabe4Shellcode exe

FRSecure recommends administrators block the domains and file hashes above within their organization. As always, we can expect the fingerprint of this malware to change rapidly in the future. It is imperative that users exercise caution when receiving emails or visiting potential phishing websites. Always verify the source before downloading any applications or supposed updates.

A full Malware Traffic Analysis for one of these malicious Google Ads can be viewed here:

Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.