A threat actor has been abusing Google Ads to distribute a trojanized version of the CPU-Z tool to deliver the Redline info-stealing malware.
The new campaign was spotted by
Malwarebytes analysts who, based on the backing infrastructure, asses that it is part of the same operation that used
Notepad++ malvertising to deliver malicious payloads.
The malicious Google advertisement for the trojanized CPU-Z, a tool that profiles computer hardware on Windows, is hosted on a cloned copy of the legitimate Windows news site WindowsReport.
CPU-Z is a popular free utility that can help users monitor different hardware components, from fan speeds, to CPU clock rates, voltage, and cache details.
Clicking the ad takes the victim through a redirect step that tricks Google’s anti-abuse crawlers by sending invalid visitors to an innocuous site.
Those deemed valid to receive the payload are redirected to a Windows news site lookalike hosted on one of the following domains:
- argenferia[.]com
- realvnc[.]pro
- corporatecomf[.]online
- cilrix-corp[.]pro
- thecoopmodel[.]com
- winscp-apps[.]online
- wireshark-app[.]online
- cilrix-corporate[.]online
- workspace-app[.]online
