Researchers found that a threat actor is using Google Search ads to distribute malware, specifically targeting graphic design professionals, as two specific IP addresses, 185.11.61[.]243 and 185.147.124[.]110, were identified as hosting at least ten distinct malvertising campaigns.
Google Search campaigns that were linked to two different IP addresses were discovered to be promoting malicious downloads through websites that were misleading.
The IP address 185.11.61.243 has been actively used since July 29, 2024, to host 109 unique domains associated with a malicious graphic design/CAD malvertising campaign, while the most recent domains were added on November 25, 2024, indicating ongoing malicious activity.
Two IP addresses (185.11.61.243 and 185.147.124.110) are being used in a malicious campaign where numerous unique domains have been mapped to these IP addresses, likely for a graphic design/CAD-themed malvertising attack while the campaign is ongoing, with new domains being added frequently.
On November 13, 2024, a malvertising campaign was initiated using frecadsolutions[.]com, hosted on the IP address 185.11.61[.]243 since November 6, which was linked to multiple similar domains, suggesting a broader malicious campaign.
On November 14, 2024, a malvertising campaign leveraged the domain frecadsolutions.cc, hosted on 185.11.61.243 since November 6th, to distribute malware and exploit Bitbucket, a legitimate file hosting service, as a delivery mechanism.
A malicious ad campaign was initiated on November 26, 2024, using the domain freecad-solutions[.]net, which previously hosted on 185.11.61[.]243, was moved to 185.147.124[.]110 on the same day.
It was initiated on November 27th, 2024, leveraging the frecadsolutions.org domain, which previously hosted on 185.11.61.243 from November 6th to 26th, 2024, and has since migrated to 185.147.124.110.
By utilizing rhino3dsolutions.io, which was initially hosted on 185.11.61.243 and later moved to 185.147.124.110, a malicious advertising campaign was able to disseminate malicious payloads.
It also leveraged rhino3dsolutions[.]org, hosted on 185.11.61[.]243 from November 18 to 26, 2024, and subsequently on 185.147.124[.]110 from November 27, 2024, to compromise user systems.
Multiple malvertising campaigns were launched using compromised domains rhino3dsolutions[.]net and planner5design[.]net, hosted on IP addresses 185.11.61[.]243 and 185.147.124[.]110 between November and December 2024.
Between December 1st and 10th, 2024, two malvertising campaigns were launched using the domains onshape3d.org and frecad3dmodeling.org, both hosted on the IP address 185.147.124.110.
Silent Push provides IOFA Feeds containing malvertising domains and IPs to Enterprise subscribers, which can be integrated into security stacks to enhance detection capabilities and used in conjunction with the Silent Push Console and Feed Analytics for further investigation of potential threats.