Rogue Sites Masquerading as Windows Portals: A New Malvertising Campaign

A recent discovery has unveiled a new malvertising campaign strategically targeting unsuspecting users by adopting a cloak of legitimacy. Utilizing fake websites disguised as authentic Windows news portals, this scheme aims to spread a malicious installer for a popular system profiling tool known as CPU-Z.

According to Malwarebytes’ Jérôme Segura, this event is a part of a larger malvertising campaign that extends its reach to other utilities, such as Notepad++, Citrix, and VNC Viewer, concealing its intentions by leveraging cloaking templates and infrastructure to evade detection.

This shift marks a deviation from the typical operation of malvertising campaigns, particularly seen in the replication of WindowsReport[.]com. The end goal is to ensnare unwitting users seeking CPU-Z by bombarding them with malicious ads that, upon interaction, lead to the fraudulent portal workspace-app[.]online.

Notably, those not the primary targets of the campaign are presented with an innocuous blog, employing the strategy of cloaking to avoid raising any suspicion.

The signed MSI installer located on the deceptive website contains a malevolent PowerShell script, also known as FakeBat (or EugenLoader), serving as a conduit for the deployment of RedLine Stealer on the compromised host.

This isn’t the first instance of deceptive Google Ads used as a vector for malware distribution. Cybersecurity firm eSentire disclosed a recent Nitrogen campaign that facilitates a BlackCat ransomware attack, continuing the trend of exploiting drive-by downloads to propagate malware families like NetWire RAT, DarkGate, and DanaBot.

Additionally, threat actors are increasingly relying on adversary-in-the-middle (AiTM) phishing kits like NakedPages, Strox, and DadSec to breach multi-factor authentication systems and hijack targeted accounts.