.png){kind=logo}
Executive Summary
February 2025 marks the emergence of a sophisticated cyber threat as reported by Malwarebytes. Cybercriminals have exploited Google Ads to distribute malware by bundling it with a fraudulent Google Chrome installer. This campaign underscores the pervasive misuse of trusted platforms to disseminate malicious software, specifically the deployment of a remote access Trojan (RAT) known as SecTopRAT. While specific sectors or countries have not been identified as primary targets, the utilization of Google Ads suggests that any user searching for Google Chrome online is within potential reach.
Technical Information
The threat actors orchestrated the campaign by leveraging Google Ads, luring victims into clicking a seemingly legitimate advertisement promoting a Google Chrome download. This redirection led unsuspecting users to a deceptive Google Sites page, cloaked in authenticity. Once navigated, the page facilitated the download of a malicious executable masquerading as Google Chrome. Upon execution, the faux installer connected to a remote site to receive further instructions, deploying PowerShell commands to create exclusion paths in Windows Defender. This maneuver aimed to evade detection during the malware extraction process. The installer subsequently downloaded an encrypted data stream, which was decrypted to execute a payload named
Exploitation in the Wild
Specific usage of this vulnerability manifests through the manipulation of trusted advertising platforms and the deployment of malicious executables under the guise of legitimate software. The campaign's Indicators of Compromise (IOCs) include malicious URLs such as
APT Groups using this vulnerability
The current intelligence does not specify particular APT groups associated with the exploitation of this vulnerability. However, the methodology employed aligns with tactics observed in various cybercriminal organizations.
Affected Product Versions
The analysis did not reveal specific affected product versions of Google Chrome as the threat hinges on the distribution vector rather than inherent software vulnerabilities. Continued vigilance in monitoring vendor updates and advisories is strongly advised.
Workaround and Mitigation
To mitigate the risks associated with this threat, user education is paramount. Users should be informed about the dangers of downloading software via advertisements and the crucial practice of verifying URLs and download sources. Employing robust endpoint protection solutions capable of detecting and blocking malicious downloads and executables is essential. Notably, Malwarebytes users were safeguarded against this threat through their Browser Guard and Premium Security Antivirus offerings.
References
For a comprehensive understanding of this threat, refer to the Malwarebytes Blog: https://www.malwarebytes.com/blog/cybercrime/2025/02/sectoprat-bundled-in-chrome-installer-distributed-via-google-ads
Rescana is here for you
At Rescana, we are committed to assisting our clients in navigating the complexities of cybersecurity threats through our Third Party Risk Management (TPRM) platform. We encourage you to reach out to us at ops@rescana.com with any questions about this report or other cybersecurity concerns you may have.