Malicious Fake Notepad++ Ads on Google: Detected only after months

A campaign of Malicious ads which, at least in theory, offered the download of Notepad++ was spotted on Google. Second Malwarebytesthis remained active for months and months before someone identified it and reported it to the Mountain View giant.

In this sense, it is not yet known what the loader final distributed by the campaign even if experts suspect it is Cobalt Strike or at least others ransomware with a high degree of danger.

The ads in question promotes it URLs with misleading titles, which refer to the well-known text editor. To make the links more credible, cybercriminals have used some common strategies in the context of malvertising. For example, they used titles that were very long compared to the URLs, hiding the name of the site and misleading the victim.

Once the user clicks on any of the ads, a redirection phase check theirs IP to prevent access to crawler, VPN, bot and similar. Once the “human” nature of the visitor is ascertained, he is directed towards a site that imitates the official Notepad++ one, complete with links to download the various versions of the app.

Notepad++ and more: how to download software without risks of this type

The click for the alleged Notepad++ download, in reality, allows cybercriminals to carry out a further check, trying to understand if the alleged victim is acting from a sandbox environment.

Once it is established that the user is real and unprotected, the same one is provided script HTAwith annex Unique ID useful for victim tracking. The next step of the script is to connect to a remote domain from a specific port: this type of action seems to favor the possible distribution of malicious agents such as Cobalt Strike.

The experts wanted to provide some valuable advice to avoid this type of attack. To avoid downloading malware when you search for specific software tools, it can be helpful avoid promotional results on Google SERP and manually go to the official website of the app.

If it is difficult to locate the latter, it is possible to consult it Wikipedia oh social channels of the software house to try to understand which platform can guarantee the desired program without risks.


Please enter your comment!
Please enter your name here