Hello and welcome to the Friday, December 16th, 2020 edition of the Sandsenet Stormsanders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, we got a Malar Analysis diary again by Brad and Brad.

This time looks at how a Google ad led to an

iced ID or a bog bot infection. This is sadly still a very common theme. You are searching for

some legitimate software and the top ad being displayed on Google is leading you to a malicious page.

What makes it, I think, inverse is that when you see a paid ad like this, the URL displayed

is something that the attacker may pick, so this is not the actual URL that you'll end up at.

Yes, I understand this may be a little bit required,

because often ads lead you to some kind of click-through URLs and such,

not to the actual company homepage, and advertisers want to have their brand visible here in the link,

but allowing advertisers to arbitrarily pick the link being displayed, of course, leads to fraud like this, and apparently

Google doesn't have much interest in blocking this because there's an issue that's going on

for a few years now. Not sure with Google now owning Mannion if you

get like a 10% off coupon if a Google ad did actually cause the compromise. After the user

does end up on the fake software page in the case that Pratt talks about its NEDESK, there is a zip file that's

unavailable for download, which will expand to an MSI, so an installer file. And once installed

this, well, that's when you'll install the malicious DLL for Iced ID.

All the packet captures and other artifacts can be downloaded and you can sort of reproduce

some of the analysis that Pratt performed here.

And Tallus has an interesting write-up on a recent Quackbot variant

that takes advantage of SVG images.

...