HQ/EMEAFind out how we can help your business
Earlier this month, the IcedID botnet operators were seen abusing the SEO poisoning strategy to lure search engine users into accessing fake malicious websites that lead to malware downloading.
The current campaign exploits businesses that use Google Ads. The threat operators display advertisements to target browser audiences, increasing traffic and profit.
Based on reports, the attackers are picking and ranking keywords used by well-known brands and applications to exploit the Google PPC Ads, displaying compromised advertisements above the organic search results.
IcedID botnet operators have been hijacking keywords to start their campaigns.
The researchers discovered that the IcedID botnet operators are hijacking keywords used by Chase Bank, Discord, Fortinet, Brave Browser, GoTo, Thunderbird, AnyDesk, Teamviewer, the US Internal Revenue Service (IRS), and others.
Additionally, the hackers abuse the legitimate Keitaro Traffic Direction System to filter researcher and sandbox traffic and redirect victims to duplicated webpages of famous apps and legitimate organisations.
Subsequently, if a victim user clicks on the download button, a ZIP file that contains a malicious MSI or Windows Installer file will be downloaded by the site on the user’s system. The downloaded files behave as an initial loader that retrieves the bot core, which could drop a backdoor payload.
The IcedID botnet operators have used multiple strategies to make its detection more difficult for security providers. Some of the files used by the operators are well-known libraries such as ConEmuTh.x64[.]dll, tcl86[.]dll, libcurl[.]dll, and sqlite3[.]dll.
The IcedID-modified installer files are nearly identical to the legitimate version of cloning software, which makes detection challenging for researchers and whitelisting systems.
Several threat groups have utilised the IcedID botnet these past few months to acquire initial access, perform illicit operations, and establish persistence on a targeted host. A couple of months ago, analysts observed hackers using phishing emails in English or Italian to deploy the IcedID botnet through ISO files, macro-laden documents, and archives.
The threat groups behind the IcedID malware have been utilising various distribution methods, which could allow them to determine what malware works against different targets. Cybersecurity experts noted that the exploitation of Google PPC ads to deploy malware should be prioritised by researchers since it poses a significant threat to unaware victims.
