Leveraging the name and trustworthiness of a legitimate site, that is WindowsReportsome cybercriminals created fictitious platforms, then advertised through Google ads.
Advertisements and cloned sites were exploited to spread a modified version of the tool CPU-Z containing the dreaded malware known as Redline. The malvertising campaign, identified by experts at Malwarebytesfollows a plot already known to researchers.
The CPU-Z app is free software, commonly used to monitor a computer’s hardware components. The data collected by the app ranges from frequencies of CPU clock up to fan speedproviding a complete overview of the status of your PC.
In fact, just a few months ago, a similar operation was exploited Notepad++ to distribute Trojans through ads on the famous search engine.
Fake CPU-Z app promoted via Google ads spreads the dreaded Redline malware
By clicking on the false advertisement, the potential victim is “filtered” against crawlers that scour the Web looking for malicious sites. In this way, analysis tools are directed towards harmless platforms, while users end up on the site where the modified app is available for download.
The sites identified so far used for this purpose are linked to the following domains:
- app wireshark[.]online
- app workspace[.]online
These, created on purpose to disorient the user, offer a download file MSI. The same, after an analysis by researchers, was shown to contain one script PowerShell harmful. What makes the malicious version of CPU-Z particularly insidious is the presence of an apparently legitimate digital signature.
When the victim tries to activate the installation, the loader recover the payload of Redline from a remote URL, resulting in the initiation of the actual infection.
To avoid cases like this, in addition to using a antivirus, the advice is to always check the URL of the site from which you are about to download software. In fact, it is very important to rely only on official sites.