Users that are searching for popular software have recently become the targets of malvertising which leverages Google Ads to install Trojan versions of Raccoon Stealer and Vidar. These malware versions are sneakily hidden within Google advertising…you know; those advertisements you see on the side of your browser window or plastered all over social media. This bandit, if clicked, will then proceed to install malware on your device.

According to Guardio Labs, at first glance, the network of sites that have been developed by threat actors and promoted through Google Ads seems benign…or normal. That’s because most of them are typo-squatted versions of popular sites. However, once the users click on these ads that appear on the screen, they are directed to a phishing site. This site provides links to popular software that many would like to use that is available for download. However, the intent of these particular downloads is to expose the user to potentially damaging programs or unwanted applications.  Guardio has dubbed this campaign “MasquerAd.” That's clever.

The phishing site that was found contains files hosted on Dropbox or OneDrive. Those files are actually trojan-infected ZIP archives. Typos in popular searches for software such as AnyDesk, Grammarly, Malwarebytes, Dashlane, MS Visual Studio, Slack, Zoom, and MSI Afterburner will take you to the phony sites.

Given that the gateway sites represent typosquatting, users are encouraged to ensure that their search queries are spelled correctly and examine sites extremely carefully to note any deviations from official design, look, feel, and branding. If in doubt, visit the website of the software developer to do some additional research.

Also, if you see ads on websites you visit or on social media, consider typing in the name on the ad manually into the browser rather than clicking links. Just triple check you spelled everything correctly before finishing the click.