Deceptive Google Ads Convince WinSCP Users to Install Malware

    The Emergence of SEO#LURKER

    Cybersecurity experts at Securonix are closely monitoring SEO#LURKER. This new threat uses SEO poisoning and fake Google ads to install malware. Attackers cleverly manipulate search results and Google ads, misleading users who intend to download legitimate software like WinSCP.

    Deceptive Advertising Tactics

    Recent findings by security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov highlight this risk. They discovered a malicious advertisement that redirects users from a compromised WordPress site, gameeweb[.]com, to a phishing site controlled by attackers.

    Exploiting Google’s Dynamic Search Ads

    The attackers exploit Google’s Dynamic Search Ads to generate malicious ads automatically. These ads lead victims to infected sites. The sophisticated attack chain aims to lure users into visiting a fake WinSCP website, winccp[.]net, and downloading malware.

    Understanding the Malware Delivery Process

    The malware disguises itself as a ZIP file named “”. This file contains a setup executable that uses DLL side-loading. It executes a file named python311.dll from the archive. This DLL stealthily downloads and activates Python scripts, “” and “”, to enable malicious activities and ensure persistence.

    The Python Scripts’ Role

    These scripts connect to a remote server controlled by the attackers. They receive commands allowing attackers to run enumeration commands on the victim’s host.

    Target Demographics and Geoblocking

    Using Google Ads suggests the attackers target anyone searching for WinSCP software. Geoblocking on the malware-hosting site indicates U.S. users as primary victims.

    Past Instances and Growing Trends

    This isn’t the first instance of Google’s Dynamic Search Ads being used for malware distribution. Malwarebytes recently exposed a similar campaign targeting PyCharm users. Such malicious advertising and malware attacks are becoming more frequent, a trend observed by security researchers.

    Rise in Credit Card Skimming

    Malwarebytes also reported an increase in credit card skimming campaigns in October 2023. These attacks compromised hundreds of e-commerce websites to steal financial information through counterfeit payment pages.

    Latest articles

    Related articles