That ChatGPT Google ad may be hiding some nasty malware

Threat actor was spotted advertising fake software on Google Ads

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If you stumble upon aGooglead promoting a website where you could download well-known, or made-up software, be very careful, as it very well might just be a malvertising campaign.

RomCom is a backdoormalwarethat can do all sorts of nasties, from running cmd.exe, to dropping more malicious payloads on the target endpoint, from exfiltrating data from the compromised devices, to running AnyDEsk in a hidden window, from compressing and sending folders to hackers’-owned servers, to setting up a proxy via SSH.

Furthermore, RomCOm can gran screenshots from the compromised computer, steal cookies from popular browsers, steal cryptocurrency wallet data, chat messages, and login credentials and passwords.

Recently, cybersecurity researchers from Trend Micro discovered a new malvertising campaign pushing RomCom to unsuspecting victims. The threat actors created a number of fake websites for legitimate software such as Gimp, Go To Meeting,ChatGPT, WinDirSTrat, AstraChat, System Ninja, Devolutions’ Remote Desktop Manager, and others.

Targets in Eastern Europe

Then, they would buy advertising space via Google’s ad network to promote the websites. Google ads aside, the attackers have also engaged in “highly targeted” phishing attacks, going for victims in Eastern Europe, it was said.

What is malware and how dangerous is it?>Hackers are mailing out USB drives infected with ransomware>These are the best endpoint security software around

While the websites offer various software for download, in reality the victims are gettingMSIinstallers, trojanized with a malicious DLL file called InstallA.dll. This file drops three more DLLs into the target device, which communicate with the C2 server and receive further instructions.

The researchers also explained how the attackers started using VMProtec software code, to protect from antivirus programs. They also use encryption for the payload. Furthermore, the software seems to be signed by legitimate companies allegedly based in northern America. However, these companies’ websites are “fulled with fake or plagiarized content”, BleepingComputer has found.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

RomCom’s goals vary from campaign to campaign, the publication further states, claiming that the group was seen engaging in both ransomware and espionage.

“Whatever the case, it is a versatile threat that can cause significant damage,” the report concludes.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call