Hackers Hide Malware in Google Ads

Cybersecurity researchers have identified a novel malware campaign that leverages Google's legitimate ad domain, ad.doubleclick.net, to distribute malicious payloads. This tactic allows attackers to bypass security filters that typically trust Google-owned infrastructure.

The operation begins with spam emails containing HTML attachments that redirect users to a layered infection chain. This chain dynamically reconstructs fake company pages, incorporating real logos pulled live from online sources to enhance believability.

The malware employs advanced techniques such as JScript, PowerShell, and reflective .NET loading for in-memory execution, significantly reducing its digital footprint and evading traditional file-based detection. It also actively checks for and terminates if sandbox or debugging environments are detected.

Further evading detection, the malware injects malicious code into legitimate Microsoft-signed utilities like InstallUtil.exe and MSBuild.exe, masking its activity within trusted Windows processes. It also employs a communication infrastructure using dynamic DNS services and nonstandard ports, designed to adapt rapidly to countermeasures.

While the final objective remains undetermined, the campaign's structure, including persistence mechanisms that survive system restarts and the collection of hardware details, suggests preparations for extensive, long-term unauthorized access and remote intrusion activities.