Google Ads Littered With New Malware Strain

Researchers from Cyble recently revealed analyses of a new malware strain known as “Rhadamanthys Stealer,” that is being sold through the Dark Web under a Malware-as-a-Service model. This malware strain is designed to steal sensitive information from the victim’s machine. New malware showing up for sale isn’t necessarily news, but one of the two observed methods of propagation observed by the threat actors behind Rhadamanthys is.

The first method is traditional phishing and spam emails that deliver the malware as a malicious attachment. The other method is a set of highly convincing phishing webpages impersonating legitimate websites to trick users into downloading the malware along with what looks like a real version of the software they are presumably searching Google for. The links to these malicious sites have spread through Google Ads, leading to randomized victims. Some (but certainly not all) of the domains involved in this scam are:
bluestacks-install[.]com
zoomus-install[.]com
install-zoom[.]com
install-anydesk[.]com
install-anydeslk[.]com
zoom-meetings-install[.]com
zoom-meetings-download[.]com
anydleslk-download[.]com
zoomvideo-install[.]com
zoom-video-install[.]com
istaller-zoom[.]com
noteepad.hasankahrimanoglu[.]com[.]tr

Indicators of Compromise that have been identified include the following:

FRSecure recommends administrators block the domains and file hashes above within their organization. As always, we can expect the fingerprint of this malware to change rapidly in the future. It is imperative that users exercise caution when receiving emails or visiting potential phishing websites. Always verify the source before downloading any applications or supposed updates.

A full Malware Traffic Analysis for one of these malicious Google Ads can be viewed here: https://www.malware-traffic-analysis.net/2023/01/03/index.html