A recent malvertising campaign targeting Slack users has been uncovered, revealing a sophisticated attack through Google search ads. This malicious scheme sheds light on the evolving strategies of cybercriminals and emphasizes the importance of strong security measures for internet users.
The campaign spanned several days and initially appeared as a seemingly harmless ad for Slack in Google search results. Despite its innocent facade, the ad led users through a convoluted series of redirects, ultimately delivering malware to unsuspecting victims.
Upon closer examination by researchers from MalwareBytes, it became evident that the Slack malvertising ads were deceptive. The ad’s advertiser was promoting products intended for the Asian market while being displayed in a completely different region, raising suspicions about its authenticity.
Using contextualized detection methods, the researchers identified the malicious nature of the ad, which had been labeled as ‘cooking.’ This term refers to the practice of leaving malicious ads dormant for a period to avoid detection initially. Subsequently, the ad redirected users to a click tracker and ultimately to a suspicious domain, slack-windows-download[.]com, created just a week prior to the attack.
The researchers discovered that the malicious page impersonated the official Slack website and offered a download link to visitors, a deceptive tactic known as cloaking. The ad’s intricate redirect chain involved a series of tools like click fraud detection and cloaking domains, making it challenging for researchers to assess without specialized knowledge.
Upon clicking the download button, users triggered a file download from another domain, suggesting a parallel campaign targeting Zoom. Dynamic analysis uncovered a connection to a server previously used by the SecTopRAT remote access Trojan, indicating data theft capabilities.
The threat actors employed various evasion techniques to avoid detection, including maintaining dormancy, utilizing click tracking services, cloaking content, and implementing multi-layered redirects. These strategies complicated the assessment of the attack chain and increased the campaign’s stealth.
The final payload of the malvertising campaign, SecTopRAT, poses a serious threat to targeted victims by establishing a connection to a command and control server, potentially compromising their systems and data. As malvertisers exploit legitimate platforms with advanced evasion tactics, individuals and organizations must prioritize robust security measures to defend against such threats effectively.
In conclusion, the Slack malvertising campaign serves as a stark reminder of the persistent threat posed by cybercriminals and the critical need for enhanced vigilance and comprehensive security solutions to safeguard against evolving malware attacks.