Beware of Malicious CPU-Z Ads: A New Cyber Threat
In a concerning development, a threat actor has been exploiting Google Ads to distribute a trojanized version of the popular CPU-Z tool, ultimately delivering the Redline info-stealing malware. This alarming campaign was recently uncovered by Malwarebytes analysts, who linked it to similar operations involving Notepad++ malvertising.
The Deceptive Campaign
The malicious Google advertisement for the trojanized CPU-Z, a tool that profiles computer hardware on Windows, is cleverly hosted on a cloned copy of the legitimate Windows news site WindowsReport. CPU-Z is a widely used free utility that monitors various hardware components, including fan speeds, CPU clock rates, voltage, and cache details.
However, clicking the ad initiates a redirect step designed to trick Google’s anti-abuse crawlers. Invalid visitors are sent to an innocuous site, while those deemed valid are redirected to a Windows news site lookalike hosted on domains such as argenferia[.]com and realvnc[.]pro, among others.
The Infection Process
The use of a clone of a legitimate site adds a layer of trust to the infection process, as users are more likely to trust tech news sites hosting download links for utilities. The ‘Download now’ button on these fake sites leads to a digitally-signed CPU-Z installer (MSI file) containing a malicious PowerShell script identified as the ‘FakeBat’ malware loader.
This loader fetches the Redline Stealer payload from a remote URL and launches it on the victim’s computer. Redline is a potent stealer capable of collecting passwords, cookies, browsing data, and sensitive information from cryptocurrency wallets.
To minimize the chances of malware infections, users should be cautious when clicking on promoted results in Google Search. It’s crucial to check if the loaded site and the domain match. Alternatively, using an ad-blocker that hides these ads automatically can be an effective preventive measure.
Related: New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers – The Hacker News discusses how malicious sites posing as legitimate Windows news portals have been spotted distributing malware disguised as CPU-Z.