Mars Stealer malware pushed via OpenOffice ads on Google


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
" A new Mars Stealer campaign uncovered by Morphisec is using Google Ads advertising to rank cloned OpenOffice sites high on Canadian search results. "
Poisoning Google Search results with malicious ads

Poisoning Google Search results with malicious ads (Morphisec)
OpenOffice is a once-popular open-source office suite now belonging to the Apache foundation and has been surpassed by LibreOffice, which started as its fork back in 2010.
However, OpenOffice still enjoys a respectable number of daily downloads from people who seek a free document and spreadsheet editor. Possibly, the threat actors didn’t clone the much more popular LibreOffice because that would result in a quick take-down due to numerous reports.

The OpenOffice installer on the phony site is, in reality, a Mars Stealer executable packed with the Babadeda crypter or the Autoit loader, so the victims are unknowingly infecting themselves.
Due to an error in the configuration instructions of the cracked version, the operator has exposed the victims’ 'logs' directory, giving full access to any visitor.
A log is a zip file containing data stolen by an information-stealing Trojan and uploaded to threat actors' command and control servers.

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top poster
Dec 23, 2014

Unfortunately, Google Ads advertising can be used to locate a website with malicious downloads, very high in Google search. So, it is risky to open such websites.
Last edited by a moderator: