Full Report
The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.
Analysis Summary
# Tool/Technique: Malvertising and SEO Poisoning via Search Results
## Overview
This summary focuses on the threat technique where malicious advertisements ("malvertising") are placed in legitimate search engine results pages (SERPs) to trick users into visiting malicious websites or downloading malware. This often involves an element of "SEO poisoning" to achieve prime ad placement. This tactic is currently being used to distribute malware, including infostealers and ransomware, and drive investment and credit card scams.
## Technical Details
- Type: Technique
- Platform: Web Browsers (Users searching on search engines)
- Capabilities: Delivery of malicious payloads (malware download) or redirection to malicious credential/investment scam landing pages.
- First Seen: The core concept of malvertising is not new, but its deployment alongside modern scams (like pig butchering) indicates a continuous evolution. Specific threat actor usage is ongoing in Fall 2023/2024.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1566 - Phishing
* T1566.002 - Spearphishing Link (The ad acts as the initial lure/link)
* **TA0011 - Command and Control** (If malware payload is deployed)
* *Note: Specific C2 infrastructure is not detailed in this context, but is the likely next step after initial access.*
## Functionality
### Core Capabilities
- **Ad Placement:** Purchasing deceptive sponsored advertising slots, often achieving prime visibility right alongside legitimate search results.
- **Luring/Deception:** Exploiting the perceived legitimacy of search engine results to persuade victims to click.
- **Scam Promotion:** Directing traffic toward high-yield scams such as "pig butchering" investment schemes.
### Advanced Features
- **Rapid Account Cycling:** Scammers quickly cycle through advertising accounts used for malvertising, with 77% of accounts being used only once, complicating attribution and takedown efforts.
- **Targeting:** Utilizing advanced advertising technology for immense targeting capabilities to place the right ad in front of the right victim at the right time.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the delivery method, not specific C2 files mentioned)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Specific C2 infrastructure is not detailed in the provided text, only the pathway for delivery).
- Behavioral Indicators: Clicks on sponsored results leading to unexpected destinations; sudden deployment of infostealers, cryptominers, or ransomware following an ad click.
## Associated Threat Actors
- Threat actors operating out of **South Asia and Southeast Asia**, specifically **Pakistan** and **Vietnam**, account for 90% of the observed ad fraud activity according to Malwarebytes telemetry.
- Cybercriminals globally who purchase malvertising as a service.
## Detection Methods
- Signature-based detection: Ineffective against the ad delivery mechanism itself, but effective against resulting malware payloads.
- Behavioral detection: Monitoring user navigation from search engine results to suspicious, newly registered, or unexpected domains.
- YARA rules: N/A (Not applicable to the advertising technique itself).
## Mitigation Strategies
- **User Education:** Training users to critically evaluate sponsored results and check the actual destination URL before clicking.
- **Ad Platform Scrutiny:** Increased scrutiny by search engine providers on advertising accounts, especially those exhibiting rapid turnover or suspicious high-volume campaigns.
- **Network Monitoring:** Implementing DNS/web filtering to block connections to known malicious or newly registered domains associated with these campaigns.
## Related Tools/Techniques
- **SEO Poisoning:** Often used in conjunction with malvertising to ensure the malicious ads rank highly.
- **Phishing:** The core objective of the ad click is often to execute a phishing attempt or establish pretext for further social engineering (e.g., investment scams).
- **Infostealer Malware** and **Ransomware:** Malware frequently distributed via successful malvertising clicks.