Hackers Target Graphic Designers Through Google Ads

Researchers found that a threat actor is using Google Search ads to distribute malware, specifically targeting graphic design professionals, as two specific IP addresses, 185.11.61[.]243 and 185.147.124[.]110, were identified as hosting at least ten distinct malvertising campaigns. 

Google Search campaigns that were linked to two different IP addresses were discovered to be promoting malicious downloads through websites that were misleading.

The IP address 185.11.61.243 has been actively used since July 29, 2024, to host 109 unique domains associated with a malicious graphic design/CAD malvertising campaign, while the most recent domains were added on November 25, 2024, indicating ongoing malicious activity. 

Screenshot of domains mapped to 185.147.124[.]110

Two IP addresses (185.11.61.243 and 185.147.124.110) are being used in a malicious campaign where numerous unique domains have been mapped to these IP addresses, likely for a graphic design/CAD-themed malvertising attack while the campaign is ongoing, with new domains being added frequently.

On November 13, 2024, a malvertising campaign was initiated using frecadsolutions[.]com, hosted on the IP address 185.11.61[.]243 since November 6, which was linked to multiple similar domains, suggesting a broader malicious campaign.

The first malvertising campaign was launched with frecadsolutions[.]com

On November 14, 2024, a malvertising campaign leveraged the domain frecadsolutions.cc, hosted on 185.11.61.243 since November 6th, to distribute malware and exploit Bitbucket, a legitimate file hosting service, as a delivery mechanism.

A malicious ad campaign was initiated on November 26, 2024, using the domain freecad-solutions[.]net, which previously hosted on 185.11.61[.]243, was moved to 185.147.124[.]110 on the same day. 

A third malvertising campaign was launched on freecad-solutions[.]net

It was initiated on November 27th, 2024, leveraging the frecadsolutions.org domain, which previously hosted on 185.11.61.243 from November 6th to 26th, 2024, and has since migrated to 185.147.124.110. 

By utilizing rhino3dsolutions.io, which was initially hosted on 185.11.61.243 and later moved to 185.147.124.110, a malicious advertising campaign was able to disseminate malicious payloads.

It also leveraged rhino3dsolutions[.]org, hosted on 185.11.61[.]243 from November 18 to 26, 2024, and subsequently on 185.147.124[.]110 from November 27, 2024, to compromise user systems.

The sixth malvertising campaign was launched with rhino3dsolutions[.]org

Multiple malvertising campaigns were launched using compromised domains rhino3dsolutions[.]net and planner5design[.]net, hosted on IP addresses 185.11.61[.]243 and 185.147.124[.]110 between November and December 2024.

Between December 1st and 10th, 2024, two malvertising campaigns were launched using the domains onshape3d.org and frecad3dmodeling.org, both hosted on the IP address 185.147.124.110. 

Silent Push provides IOFA Feeds containing malvertising domains and IPs to Enterprise subscribers, which can be integrated into security stacks to enhance detection capabilities and used in conjunction with the Silent Push Console and Feed Analytics for further investigation of potential threats.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here