In the past year alone, we’ve reported nearly 500 unique malvertising incidents related to Google search ads. While it can be difficult to attribute each incident to a specific threat actor, we typically see similarities between campaigns.

Some malvertisers go to great lengths to bypass security controls, while others know they will get caught and are prepared to burn down their accounts and infrastructure. That said, we have generally observed more stealthy attacks and the one we cover in this blog is one of them.

A malicious actor is targeting the popular communication tool Slack, using various online tools to narrow down the list of victims and, more importantly, avoid detection.

Context is everything

We’ve been seeing a suspicious ad for Slack for a few days now that popped up when you googled the search term for the ad. The ad actually looks completely legitimate and is above the organic search result for the official site. Despite its appearance, we knew it was likely malicious, even though clicking on it at that point would only result in a redirect to slack.com.

Almost every Google ad has additional information about the advertiser and why it was shown to you. This can be accessed by clicking on the 3 dots next to the ad URL and you will be taken to the Google Ads Transparency Center. What we notice is that this advertiser is promoting products that seem to be targeted at the Asian market, and then there is this Slack ad that appears in the middle of nowhere.

We’ve mentioned before how contextualized detection can be a good way to identify an advertiser account that has been compromised. We don’t know if Google’s algorithms are trained on this, but it has certainly helped us find new malicious ad campaigns many times in the past.

Slow cooking

For days, clicking on this Slack ad would take you to a pricing page on Slack’s official website. Ads aren’t always weaponized right away; in fact, it’s common for threat actors to “cook” their ads so they don’t get detected right away.

Eventually, we saw a change in behavior. Instead of redirecting to slack.com, the ad now started redirecting to a click tracker first. This is one of the weaknesses in the Google ad ecosystem, as such services can be abused to filter clicks and essentially send traffic to a domain of your choosing. Tracking templates, as they are called, are a built-in feature that has become synonymous with fraud for us.

Playing hide and seek

Now the final URL of the ad had become slack-windows-download(.)com an interesting choice for a domain name that was created less than a week ago. While it is clear that this page was generated automatically, perhaps using AI, there is nothing malicious on it. For whatever reason, the server-side checks determined that we should only see this decoy page at this time:

After tweaking various settings, we finally spotted the malicious page, designed to impersonate Slack and offer a download link to unsuspecting victims. It’s the same domain as above, but the content is completely different. This type of behavior is known as cloaking, where different users are shown different content:

Below is a network traffic log that shows what it took to get to this page. There are a few things worth noting:

• The Google ad URL redirects to a click tracker, followed by another. There is no way for Google to know where users are going at this point.
• The click trackers themselves have no idea what happens next, thanks to a link shortener followed by another cloaking domain.

This layering makes it incredibly difficult to evaluate an ad without specific tools and knowledge of the threat actors’ TTPs.

Malware payload

The download button triggers a file download from another domain, which could indicate a parallel campaign targeting Zoom. A key is passed to the server to request the malware binary from users who have gone through the delivery chain.

Dynamic analysis in a sandbox shows an external connection to 45.141.87(.)218a server previously used by SecTopRAT, a remote access Trojan with stealer capabilities. This payload was previously dropped in other malvertising chains, one of which impersonated NordVPN.

Conclusion

Malwarebytes already blocked that command and control server, and we’ve improved our detection coverage by adding the supporting and delivery infrastructure used in this campaign. Additionally, we’ve reported the malicious ad to Google, and Cloudflare has now flagged the decoy domains abusing its services as phishing.

We expect that malvertisers will continue to use free and paid platforms to avoid detection, but we should also consider that they may be more patient and wait for the right moment to launch a new campaign.

Indicators of compromise

Redirect link

slacklink(.)sng(.)link

Concealment

haiersi(.)com

Decoy locations

slack-windows-download(.)com
slack-download-for-windows(.)com

Download Payload

zoom2024(.)online

Load capacity SHA256

59e5e07ffa53ad721bc6b4c2ef435e08ae5b1286cda51415303978da474032d2