According to cybersecurity company eSentire, the malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page. These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve the next-stage malware from a remote server. This modus operandi marks a slight shift from the previous attack chains observed in December 2022, when the MSI installer packages were used to run PowerShell scripts to download the stealer malware.
The use of Google Ads to deliver secondary payloads is a new development in the world of malware, and one that companies need to be aware of. This type of attack is difficult to defend against, as the lookalike websites and installer files can be very convincing. The best defense against this type of attack is to educate employees on the risks of downloading software from unknown sources, and to have a strong security policy in place that requires employees to only download software from trusted sources.