State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Threat Actors Distribute IcedID Malware via Malvertising Attacks

NJCCIC Alert

Original Release Date: 12/29/2022

Summary

Advertising platforms, such as Google Ads, allow businesses to target audiences to increase traffic and sales. Threat actors can also use these platforms in malvertising attacks to hijack certain keywords and convince unsuspecting search engine users to download and install malware via malicious ads.

Trend Micro researchers discovered threat actors abusing Google pay-per-click (PPC) ads to distribute IcedID malware capable of delivering other payloads that may result in data theft and ransomware. IcedID threat actors display malicious ads by hijacking keywords and cloning webpages used by legitimate organizations and popular applications, including Adobe, AnyDesk, Discord, GoTo, Slack, Teamviewer, and the IRS. If clicked, unsuspecting victims are directed to malicious websites to lure them into downloading and installing the IcedID malware. The IcedID loader is dropped via an MSI file, which contains several files, including a legitimate DLL file with a single legitimate function that is popular and a part of widely used libraries. This legitimate DLL file is replaced by a malicious loader function using an “init” export function. Both the legitimate and malicious DLL files appear almost identical, which can be challenging for machine-learning detection solutions. Additionally, the FBI warned of threat actors using search engine advertisements appearing at the top of search result pages to impersonate legitimate businesses or services. If clicked, users are directed to malicious websites that distribute malware, including ransomware, and steal login credentials and other information.

Recommendations

The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. Users are advised to exercise caution and carefully examine search results prior to clicking links, ensuring websites are known and legitimate. Furthermore, refrain from downloading programs or providing sensitive information via unofficial websites. Further technical details, indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs) can be found in the Trend Micro blog post.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.