“Malvertising” is a popular way of attracting victims to malicious sites: an advertisement block is placed at the top of the search results, increasing the likelihood of users clicking the link. Sites at the top of search results also tend to be more trusted by users. A year ago, our experts discussed a malvertising campaign that spread the RedLine stealer via Google Ads. Using typosquatting and other techniques, the attackers tried to make their resources look as similar as possible to the official websites of popular programs.
This time, a similar threat has affected users of one of the most popular search engines in the Chinese internet. We’ve discovered two related cases where modified versions of popular text editors were distributed in this system: in the first case, the malicious resource appeared in the advertisement section; in the second case, at the top of the search results. We have not yet been able to establish all the details of the threat, so this material may be updated later.
Malicious sites in search results
The screenshots below show two searches which the search engine responds to with malicious links:
Malicious link in the advertisement section for the search notepad++ (left) and search results for vnote (right)
The malicious site found in the notepad++ search is distributed through an advertisement block. Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the li ..
Support the originator by clicking the read the rest link below.
