In a sophisticated cyber threat operation, cybercriminals are manipulating Google’s Dynamic Search Ads to mislead individuals into downloading malware under the guise of the legitimate WinSCP software. This deceptive strategy, identified and monitored by the cybersecurity firm Securonix under the name SEO#LURKER, is a significant concern for internet users.

The strategy involves a malicious advertisement redirecting users to a compromised WordPress site, gameeweb[.]com, which then leads them to a phishing site controlled by the attackers. These attackers cleverly leverage Google’s ad service to display these malicious ads, targeting victims to a fraudulent WinSCP website, winccp[.]net, from where the malware is downloaded.

The malware distribution involves a multi-stage attack chain. The victims are enticed to download a ZIP file named “WinSCP_v.6.1.zip,” containing a deceptive setup executable. This executable employs DLL side-loading technique to execute a DLL file, python311.dll, within the archive, while simultaneously running a legitimate WinSCP installer to maintain the appearance of authenticity. In the background, Python scripts named “slv.py” and “wo15.py” are installed, which establish communication with a server controlled by the attackers, enabling them to execute commands on the infected host.

The scope of this attack primarily targets users searching for WinSCP software, with a particular focus on those in the U.S., as suggested by the geoblocking used on the malware-hosting site.

This incident is a part of an increasing trend of ‘malvertising’, where advertising platforms are used to spread malware. The technique has been on the rise, evidenced by numerous recent malware campaigns using this method, including a campaign reported by Malwarebytes targeting PyCharm users. Additionally, Malwarebytes highlighted an increase in credit card skimming campaigns in October 2023, which compromised many e-commerce sites to steal financial data through fake payment pages.