Quick Takeaways
- Attackers are utilizing fake "Claude" websites on Google Ads to distribute malware tailored to the victim’s OS, primarily leading to ACR Stealer infections via malicious ZIP archives and PowerShell scripts.
- The infection chain involves multiple downloads from compromised domains, including ZIP files and scripts, which contain malicious payloads designed to evade detection and facilitate post-infection command-and-control communication.
- Indicators include suspicious URLs (e.g., primemetricsa.com, fairpoint29.com) and files with specific SHA256 hashes, with the ZIP archives and scripts serving as primary vectors for payload delivery and malware deployment.
Threat Overview and Attack Techniques
Recent investigations have identified fake pages impersonating the legitimate service “Claude” to distribute malware. These pages appear in search results via malicious ads on Google. The sites are hosted on sites.google[.]com and display different instructions depending on the user’s operating system. When viewed on a macOS system, they show steps for macOS malware. When viewed on a Windows system, they show steps for Windows malware.
The main malware involved appears to be ACR Stealer, a threat known for stealing sensitive information. The infection process begins with the user clicking a button that claims to allow “Download for Windows.” However, this action actually downloads malicious files instead. These files include a ZIP archive, a PowerShell script, and other payloads. The infection chain leads to communication with a command-and-control (C2) server, which manages the malware after infection.
The attack techniques mainly involve social engineering, fake website impersonation, and malicious downloads. The attackers use URL obfuscation and misleading instructions to trick users into executing malware. Multiple malicious downloads happen from different URLs, and the suspect files have been identified with specific SHA256 hashes for detection.
The infection primarily targets Windows users who follow the fake download and installation instructions. The malware is designed to steal data via the ACR Stealer payload, which communicates with a C2 server after infection.
Impact, Security Implications, and Remediation Guidance
The impact of this threat involves data theft and potential compromise of compromised systems. The ACR Stealer can extract sensitive information from infected computers and send it to remote malicious actors. This could lead to data breaches, unauthorized access, and privacy violations.
The security implications include the need for awareness of fake websites and cautious behavior online. Users should avoid clicking unknown download buttons, especially those linked from suspicious search results or ads. Organizations should monitor network traffic for connections to known malicious domains and hashes related to this threat.
As for remediation, if infection occurs, it is critical to remove all malicious files, including the ZIP archive and PowerShell scripts. Additionally, users should reset passwords and monitor for unauthorized activity. Because specific tools for cleanup are not provided in the available information, it is important to consult with the relevant vendor or security authority for tailored guidance and to confirm malware removal procedures.
Continue Your Tech Journey
Learn how the Internet of Things (IoT) is transforming everyday life.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
