A new report from Malwarebytes, found a fake WindowsReport website that was being hosted on almost a dozen different domains.
On the website, the scammers hosted a trojanized version of CPU-Z, a popular utility tool for Windows that helps users track different hardware components such as CPU clock rates, and similar. The tool, in fact, was RedLine Stealer, a known infostealer capable of exfiltrating sensitive system data, stored passwords, payment information, cookies, cryptocurrency wallet information, and more.
Multiple similar campaigns
Then, they created ads and ran them on the Google Ads network, promoting this malicious version of CPU-Z. The cloning of WindowsReport was done to add more legitimacy and trustworthiness to the whole campaign, the researchers speculate. But before users are sent to this website, they’re pulled through a number of redirects, all to evade Google’s anti-abuse crawlers.
Some users are redirected to benign pages, while others – those more suitable to receive RedLine – are redirected to the final website. We don’t know exactly how the attackers choose their victims.
To make matters worse, the installer is digitally signed with a valid certificate, meaning Windows security tools and other antivirus products most likely won’t flag it as malicious.
Malwarebytes has analyzed the threat actors’ infrastructure for this campaign and came to the conclusion that it was created by the same people who recently operated the Notepad++ campaign. This campaign, spotted in late October, was similar in the sense that it, too, included a copy of a legitimate website, and a bunch of malicious ads being served via Google Ads.
The best way to stay safe is to be extra careful when searching for products and solutions on Google, and to always double-check the URL in the address bar before downloading anything.