Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Google PPC Ads Deliver Redline, Taurus, and mini-Redline Infostealers

Posted by Michael Gorelik on June 2, 2021
Find me on:

Google PPC Labs Tag

In the past month, Morphisec has investigated the origin of several increasingly prevalent infostealers. These include Redline, Taurus, Tesla, and Amadey.

As part of our research, we identified pay-per-click (PPC) ads in Google’s search results that lead  to downloads of malicious AnyDesk, Dropbox and Telegram packages wrapped as ISO images.

The PPC ads targeted specific IP ranges in the US and probably some other countries. Non-targeted IPs are redirected to legitimate pages that download the correct applications.

The advertisements being on the first page indicates the need for constant vigilance on all levels. Adversaries will clearly take all opportunities possible to target their chosen victims, even going so far as to use legitimate services such as Google Adwords. 

In this threat post we will go through three attack chains that lead to Redline, Taurus and a new mini-Redline infostealer compromise. We will focus on two adversaries because of similarities in patterns, certificates, and C2s. The first adversary leverages Redline and the second uses Taurus and mini-Redline.

We will cover Amadey in a separate blog post.

Technical Introduction

All of these attack chains start with one of a dozen paid Google ads that lead to a website with an ISO image download. The ISO image size is larger than 100MB, which allows the image to evade some scanning solutions that are optimized on throughput and size.

Mounting the ISO image leads to executables that are usually, but not always, digitally signed and legitimately verified.

Adversary One delivers the Redline infostealer.

  • .Net executables are obfuscated with known obfuscators such as DeepSea, which leads to a custom obfuscated .Net DLL loader that eventually leads to a custom obfuscated Redline stealer .Net executable.

Adversary Two delivers Taurus and a mini-Redline infostealer.

  • Taurus AutoIt - 7fx executables that recreate and execute a legitimate AutoIt compiler with a malicious AutoIt script and a malicious encrypted Taurus executable that will be hollowed into the AutoIt process. 
  • Mini-Redline - A minimized .Net version of the Redline stealer with some common functionality for stealing data from browsers. It features  different configuration and communication patterns wrapped in four layers of obfuscation.

Redline Infostealer 

As can be seen from the image below, a simple search for “anydesk download” leads to three pay-per-click Google ads. All three lead to malicious infostealers. . The first 2 advertisements lead to a Redline stealer while the third one leads to the Taurus infostealer

anydesk download

TheRedline infostealer websites are signed by a Sectigo certificate, as seen in the image below.

signed by a Sectigo certificate

signed by a Sectigo

anydesk

Double Clicking the download button on any of the websites will lead to a script execution that verifies the IP and delivers the artifacts from one remote website “hxxps://desklop.pc-whatisapp[.]com/”.

IP verifyingThe artifacts are updated and re-uploaded to the website every couple of days. 

As mentioned before, every ISO file includes a very small .Net executable. In some cases, this executable is also digitally signed.

artifact update

 

threat details

The first layer of the executable is obfuscated with DeepSea.

DeepSea

The second layer is actually a custom obfuscated .Net DLL that executes in memory.

infostealer executable

Finally, the third layer is the well known Redline infostealer. It communicates back with jasafodidei[.]xyz:80.

Redline infostealer

As the infostealer is well covered by other researchers, we decided to end with a snapshot showing the variety of databases this infostealer targets. Surprisingly, this infostealer targets browsers that are also used in Russian-speaking countries

infostealer targets

Taurus Infostealer

The Taurus infostealer is delivered in a similar way and appears as the third paid ad in a search for the popular applications mentioned in the introduction. 

This time the website is signed with a legitimate Cloudflare certificate. Like the Sectigo certificate used with Redline, the Taurus certificate is not older than two weeks

In the Taurus case, we did not see any redirects to additional websites. As can be seen in the image below, the download results from a submitted form that is handled by “get.php” and in turn delivers the ISO image directly from the website.

Taurus infostealer

If the target is not within the range of interesting IP addresses, users will see a normal redirect to the legitimate application website like in the Redline infostealer.

infostealer redirects

The downloaded ISO image consists of a 7z SFX executable. 

7z SFX executable

The executable includes either 4 “flv” or 4 “bmp” files in the examples we cover below. Sfx is configured to start the execution from the first batch file (masquerading as either flv, bmp or any other unique extension). The batch script is then redirected as input into cmd.exe.

batch script is then redirected as input into cmd.exe

batch script

re-creation of the legitimate AutoIt compiler

This batch script is well documented. It is responsible for the re-creation of the legitimate AutoIt compiler (Ali.exe.com or the Dio.exe.com in the examples above) and the execution of the malicious AutoIt script (Pramide.flv or the Debbano.bmp). Through the re-created compiler, it will fail to execute upon detection of a known sandbox provider. A VirusTotal search for additional 7z SFX archives with a similar evasion will lead to more than 400 different files uploaded in the past month.

files upload

The AutoIt script supports both 32 and 64 bit processes (slightly deobfuscated).

AutoIt script

It also implements persistence through a URL link directly in the startup folder. The link executes Javascript from a hidden folder under roaming (use attrib -H to unhide). 

Javascript from a hidden folder

As in the previous batch file execution, the Javascript file executes the AutoIt compiler with the copied Taurus AutoIt script.

Taurus AutoIt script

Mini-Redline Infostealer

As with the Taurus campaign, the advertisement websites that lead to the mini-Redline infostealer are also signed with Cloudflare certificates.

mini-Redline Infostealer

The file inside the ISO is also padded with zeros to increase the size of the file for evasion purposes.

file size increase

The executable is a .Net assembly with an unknown obfuscation pattern; dynamic unpacking of the assembly reveals four (4) layers of obfuscation and hollowing.

First Layer

obfuscation layer

Second Layer

hollowing layer

Third Layer

unknown obfuscation pattern

Fourth Layer - Hollowed Mini-Redline

Finally, the last layer leads to some known stealing functionalities. An initial static look at the file is reminiscent of Redline; not surprisingly a VT scan for the unpacked file shows that it will confuse even the biggest security vendors. The method and strings implemented as part of the Chrome credential theft are almost identical. In both cases, the databases are copied to a temporary location before being decrypted, using similar methods and class names to do so even though the number of targeted browsers is minimal. 

Hollowed Mini-Redline

Nevertheless, the communication pattern is different. Mini-Redline uses a direct TCP socket connection.

Mini-Redline using a direct TCP socket connection

Some of the anti-debugging functionalities include “DebuggerHidden” attributes and virtualization detection.

DebuggerHidden attributes

Virtual Environment evasion checks using WMI.

Virtual Environment evasion

Virtual Environment evasion checks

Virtual Environment evasion checks using WMI

Conclusion:

Adversaries will use any method possible to gather targets, even paying Google top dollar for their paid search results to surface a malicious website as a top search result. This inventiveness on the part of threat actors means that organizations need to be constantly vigilant in all aspects of their operations. There’s no telling when an adversary will set up a website with a signed, legitimate certificate designed to mislead website visitors. 

Threat actors are even clearly willing to pay substantial sums of money to target possible victims. Google Adwords data between May 2020 and April 2021 shows a bid price of between $0.42 and $3.97 for the two keywords “anydesk” and “anydesk download.” Assuming a click-through rate of 1,000 people, this could result in fees anywhere from $420 to $3,970 for even a small campaign that targets the United States, for example.
 
anydesk Google Adwords data

Thankfully, Morphisec customers are protected against these infostealers through our zero trust at execution technology powered by moving target defense. 

URLs Redline Infostealer

hxxps://me.anydesk-pro[.]com/            

hxxps://desklop.telegram-home[.]com/

hxxps://pc.anydesk-go[.]com/

hxxps://desklop.anydesk-new[.]com/

hxxps://desklop.pc-whatisapp[.]com/

URLs Taurus and Mini-redline Infostealer

hxxps://anydesk-en-downloads[.]com/

hxxps://anydesk-one[.]com/

hxxps://anydesk-top[.]com/

hxxps://anydesk-connect[.]com/

hxxps://anydesk-vip[.]com/

C2 - Redline infostealer

jasafodidei[.]xyz:80

ISO - Redline infostealer zip files

C249E79B05D3385A50BD0D54881B59BD

76118B65F29856DB2ABECD1193D08CF1

ISO - Taurus

476A504DB16C7E6972775B1160B4631C

F0EF3E84F172C8E869088F1FCF933B07

7DAB7515FC7C795A2AD2BD8D22F36A14

ISO - Mini-Redline

7B91DF7AF3BC0CFACFF46DB883BA784D

Taurus and Mini-Redline C2

109.234.37[.]201:15647

New call-to-action