Researchers have traced the origins of several increasingly popular information stealers, including Tesla, Taurus, Amadey, and redline. The investigation found that threat actors are delivering the information stealers through pay-per-click ads that appear in Google’s search results, allegedly paying high prices for results for AnyDesk, Dropbox, and Telegram apps that lead to malicious websites. Breach prevention firm Morphisec posted an advisory on Wednesday stating that it has investigated the paid ads’ origins as they appear on the first page of search results.
Morphisec stated that Google PPC ads targeted specific IP ranges in the US whereas non-targeted IPs are redirected to legitimate pages that allow the target to download the correct applications rather than receiving a malicious web page loaded with information stealers. Last week, rigged AnyDesk ads delivered a trojanized version of the program. This malicious campaign actually outperformed AnyDesk’s own ad campaign on Google, resulting in the illegitimate operation ranking higher in its paid results. Morphisec researchers also found that two of the adversaries, Redline and Taurus, use similar patterns, certificates, and command-and-control centers.
Read More: Google PPC Ads Used to Deliver Infostealers