Hackers using Google Ads to steal your info and drain your accounts — what you need to know

(Image credit: solarseven/Shutterstock)

Cybercriminals often have to devise new tactics to deliver their malicious payloads to unsuspecting users which is why they’re now abusing Google Ads to distribute a dangerous new infostealer malware.

According to a new report from the cybersecurity firm Cyble, its security researchers recently discovered a new malware strain named Rhadamanthys after the wise king of Crete from Greek mythology. 

At the same time, Rhadamanthys is also being spread through spam emails which contain a malicious PDF file about an unpaid statement. However, these emails are being used to target businesses while the fake Google Ads used in this campaign are aimed at consumers trying to download popular software.

Abusing Google ads to spread malware

person at desk on laptop accessing google

(Image credit: Unsplash)

When you search Google, the most relevant results are displayed at the top of the page but sometimes, an ad can appear above the search results. In this situation, you have to scroll further down the page to find a company’s actual website.

The cybercriminals distributing the Rhadamanthys malware are using the way in which Google displays ads to their advantage in their new campaign as many users often click on the first result after doing a web search. To get more users to unknowingly download their malware, they have created a number of phishing sites designed to mimic popular software including Zoom, AnyDesk, Notepad++ and Bluestacks.

While a user thinks they’ve clicked on an ad that will take them to a company’s official site, they’re redirected to a phishing page designed to impersonate popular brands by using their logos, fonts, etc.

According to Cyble, these phishing sites go a step further by also making their installer files look like those from the legitimate applications they’re impersonating. However, instead of Zoom, AnyDesk or other popular software, users inadvertently install the Rhadamanthys malware onto their systems.

In an email to Tom's Guide, a Google spokesperson explained that the ads directing users to these phishing sites have since been removed, saying: 

"Protecting users from ad scams and fraud is a key priority. We have robust policies prohibiting ads that attempt to circumvent our enforcement by disguising the advertiser’s identity and impersonating other brands. At the time of this request, the ads in question had already been flagged and removed."

Stealing passwords, crypto and more

Holographic login above laptop keyboard

(Image credit: Song_about_summer / Shutterstock)

As an infostealer, Rhadamanthys is designed to gather up as much information from its victims as possible which is then relayed to a command and control (C&C) server controlled by the attackers.

The malware collects system information from Windows PCs including their computer name, username, OS version, RAM, CPU information and more before searching for browser-related files like browsing history, bookmarks, cookies, auto-fills, login credentials and more. Rhadamanthys is designed to target many of the top browsers including Chrome, Edge, Firefox and Chrome as well as some upcoming ones like Brave. If you store your passwords in your browser and use it to access your bank accounts, a hacker could easily empty your accounts with the wealth of data Rhadamanthys collects.

From here, Rhadamanthys targets Binance, Zcash and a number of the other best crypto wallets and crypto wallet browser extensions. With crypto wallet credentials in hand, the malware can drain a user’s funds. However, it also goes after FTP and email clients, password managers like RoboForm and KeePass, VPN services including NordVPN, ProtonVPN, Windscribe VPN, messaging apps like Discord and Telegram and other programs running on a victim’s system. Screenshots of a victim’s machine are also taken and sent back to the C&C server.

Essentially, Rhadamanthys works like a vacuum and the malware is able to gather up all kinds of sensitive and personal information to use in future attacks or even to commit identity theft

How to stay safe from malware and other online threats

Now that cybercriminals are using ads to trick users into visiting phishing sites distributing malware, you need to be careful where you click. You should always scroll down to the actual search results when looking for something on Google instead of clicking on ad, even if it may be tempting.

In fact, the FBI recently recommended using an ad-blocker since fake ads in search results have become such a problem. If you can’t see the ads as they’re blocked, you won’t be clicking on them.

Likewise, you should have one of the best antivirus software solutions installed on your PC to help protect you from new malware strains like Rhadamanthys that Microsoft's Windows Defender may miss. If you’re using a Mac, you still need the best Mac antivirus software as cybercriminals are quite eager to find ways to target Apple's user base.

As Rhadamanthys is a malware-as-a-service that cybercriminals are paying good money to use in their attacks, this likely isn’t the last we’ll see of this dangerous new infostealer.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.