Malware in Google Ads: Fake OBS, VLC, Notepad++

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
big news guys so in the last month you've probably heard that they've been these really convincing fake ads for VLC 7-Zip OBS popular software that actually lead to malware downloads and in fact a popular crypto influencer nft God actually got hacked by one of these I suspect it was some kind of Redline info stealer which I have covered in channel before and he lost all of his digital assets every account got hacked they stole all his money took control of all of his accounts as complete disaster and the concerning thing is it is still happening just a few days ago I've come across this really nice site it's OBS Studio but it's not if you look at the URL it's obsproject.net some of the URLs may be more convincing than this but this is the one I came across myself just a few days ago and it's still up and running and if you click on the Windows version or any version for that matter it's going to download this RAR file and says it's a full installer but once again it is malware and as you can see this is a fake website so despite all the media coverage in the last month about this issue of malicious Google ads there's still these sites out there I'm not sure to what extent Google has cleaned up but it is worth understanding these threats how they work and that is why we're gonna do a deep dive today we're going to look at some malicious info Steeler samples that have been going around in these advertising campaigns or malvertising campaigns as we like to call them so hopefully we can shut this down this is Leo and you're watching the PC security channel so for starters let's go ahead and open this OBS Studio package we just downloaded if we open the RAR file it has this weird exe fall inside but I guess you know it could be masqueraded better and actually look like OBS studio if we take a look at properties you'll see that it's 314 megabytes and this is really what gets them around a lot of antivirus scanners and also vars toll scans a lot of people are going to upload a suspicious exe file that they download into a platform like varstool.com see if it's detected by any of the engines and if it's not they just assume it's safe now that doesn't work with samples like this because once you get past a certain size a lot of online scanners are not going to scan it just because of the size limitation because engines will skip faults that are too large in the interest of performance and this is something that attackers have been exploiting a lot recently now we're actually going to open this file in a hex editor and look at its content so this is what is actually written inside the file that's going to be executed and as you can see we've got a lot of text that doesn't make any sense and that's okay because it's an exe file it's a binary it's not a text fault you're not going to be able to read it but the important thing is if we keep scrolling you get to a point where the text basically ends and there's just a string of zeros and this is just empty space that's padding to increase the size of the file now in some cases the padding may be in front in some cases the padding may be in between two sections of the file and that makes it difficult for an antiverse to know so for example it starts scanning the file thinks oh this is just an empty file and then the malware code is somewhere in there but the AV is not going to scan the whole thing because they're like we don't want to waste Computer Resources going through this 300 megabyte file a lot of AVS will look for the headers of PE files the standard sections and then skip everything that doesn't match certain requirements because they think they can't be malicious but with faults like this you can have incredibly deadly malware packed inside a 500 megabyte file that might be skipped because products think it's like a video file or it's safe but it's actually executable malware but what we're going to do in HEX Editor to trim it down and this is also a trick you can use at home this is a free tool if you suspect you've come across file like this just select all the zeros right so I'm just clicking on it I'm just dragging it up and then where the zeros end I roughly shift click and then I hit delete and what this is doing is this is just getting rid of the padding and then when we save the file it's going to back it up as well but if we check the properties now you can see that the size has been reduced to only about 15 megabytes now and now we can analyze it online and it's probably going to tell us what type of thread this actually is so we're going to go to Barstool now drag and drop the file the 15 megabyte one and as you can see we're seeing some detection surprisingly not as many as I was hoping for at least we've got a few now looking at Twitter somebody has actually documented the notepad plus plus malware version that was being advertised and at first I think it had only about four detections but over time the detections went up so in a lot of these cases the issue is even though the lifespan of these threats or these malicious websites is not that long because eventually people will figure out that it is malicious and then somebody's going to contact Google to take down that malicious ad and they will but if you're one of those first few people in that initial 24 to 48 hours you're kind of screwed that is good enough for the attackers they don't need everybody they just need the first hundred people and you could be in those hundred people now if you're wondering well how would a fake notepad installer steal all my online credentials well they're going to install something called an info stealer on your computer and what an infos dealer is going to do is it's going to try to read all your saved passwords in the browser so if you save any passwords it's gonna try to read that it's going to try the key log anything that you enter potentially you could also use your authentication tokens your cookies anything you have on your system that's allowing you to log into these websites and in a lot of cases attackers will have data from multiple sources maybe they have your email from a data breach they got your password from the safe tokens and now they can log into your account so it's really important to watch out for infos dealers this is probably the most prevalent public threat that I'm seeing these days guardio our sponsors of this video also wrote a pretty good article on this topic and this was all the way back in December threat actors have realized that they can use Google's adword capabilities as malware campaigns and it's actually quite profitable and especially with crypto now being a thing if they manage to get their hands on a few people's crypto wallets that can be a good enough payoff for them to fund the next campaign so I don't think these things are going to go away this is also how the previous MSI afterburner her malware was spread the one I made a video about and just so you understand how the malware actors managed to do this or fool Google is they create a legitimate website that has some sort of like SEO content in the back end it's been running for a long time and they just select that as the website they want to advertise Google verifies it they say it's good to go but then they set up a malicious redirect from that website into the malware so this diagram actually does a great job of describing it so there's a benign advertised site that's perfectly safe that's what they use in the ad placement but when you do click on it they set up a redirect that sends you to the malicious site so once again be very careful when you're downloading something the only thing that matters is the start of the link so what do you see after https and if you don't see the exact name of the site that you're supposed to be visiting then it could be a malicious redirect so watch out for that I hope you found this video helpful please like and share it if you enjoyed it because this is a major threat and don't forget to subscribe to the PC security Channel also check out our Discord server we'll be doing an event on using AI techniques for thread detection very shortly a big thank you to guardio for sponsoring this video let's check them out this video is brought to you by guardio a web extension that you can add to any browser to protect you from cyber threats once installed it's going to scan your browser for malicious extensions notifications information leaks or hijackers so you can also look at your emails and figure out if they've been part of any data breaches and once setup it is going to actively protect you in real time against any malicious websites that you end up visiting cardio is also available for teams and can protect your business from attacks like phishing in order to demonstrate we're at fish tank that's a repository of fishing links these are websites that are going to attempt to steal your credentials as you visit them but we do have cardio installed on this browser so we'll see what it can do and as you can see the moment we try to visit the site it is blocked by guardio and because it's based in the web browser it doesn't really matter where the link comes from it's going to stop you from visiting it whether it was in a spear phishing email or you just stumbled across it in the search engine and it doesn't matter whether it's on Mac or PC which is pretty important because you can still get fished on Mac once installed you will also have access to a personalized dashboard that's going to show you all the statistics with cardio premium you can monitor up to five emails for information leak so it's a great way to bolster cyber security these days it's just as important to protect your online assets since everything's interconnected and digital one of your accounts being compromised can lead to a domino effect so it's crucial to keep monitoring your emails and passwords and make sure that they're not leaked so go ahead and check out guardio using the link in the description or go to guard.io PC security this is Leo thank you so much for watching and as always stay informed stay secure
Info
Channel: The PC Security Channel
Views: 25,597
Rating: undefined out of 5
Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR, malvertising, malware in google ads, obs malware, infostealer, redline, vlc malware, notepad malware, google ads malware
Id: e6o2afben0s
Channel Id: undefined
Length: 9min 56sec (596 seconds)
Published: Sun Jan 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.