Google served me Malware

Added: 2026-05-28

[00:00:00]Yesterday, I received this email with the subject malware distribution via Google Ads. It says, "Hey, John, you might want to check this out before it's gone while searching for the Bing webmasters login page." They include this screenshot and they indicate that they were searching in Google for Bing Webmaster tools. And one of the second sponsored results looks like a regular search.bing.com.

[00:00:23]But when you look at the inspect element here, you might see something strange.

[00:00:28]this data-pu like html attribute is set to a URL https of bing.com but then a comma and https marov-chains.com.

[00:00:41]Now I kind of need your help here because for one thing I can't recreate that search result to get those same sponsored results. Google ads are super duper dynamic and variable based off of like your region and everything else.

[00:00:54]But if I were to try to have something that did have some actual sponsored results that come back, like if I search for Huntress, and here is one of the links that we could just inspect. Take a quick look at the inspector tools here.

[00:01:07]That entry data-pu does have the link to huntress.com. So the first wondering thought that I had was, was that comma like separating two different URLs something unique or something interesting? But taking a look at another result here, let me go ahead and inspect. All of the other HTML attributes look just about the same as what we saw in the email screenshot. But here's another instance of the comma and then another domain ad.doubleclick.net.

[00:01:33]And I would assume that's for actual Google Ads tracking. But the same thing happens with the data-w URL for google.com/ac.

[00:01:42]And then a whole lot of this nonsense here. That's the actual href anchor. So, if I were to even go click this link, let me hop to the network tab. And as I go here, you'll see at the very top, we never really went to an ads.doubleclick.net.

[00:01:57]We did go through Google adservices.com and the eventual hit of the google.com/aclk that we would expected for ads tracking.

[00:02:06]So, I'm not super positive if that does actually drag you to the marov-chains.com page from this potential Google mal advertising. If you happen to know what is actually going on, please do let me know in the comments. But continuing on in the email, they say clicking that link would maybe lead you to marov-chains.com/category/lectures.

[00:02:28]If we were to go to that page, this is kind of weird. Um, it doesn't have anything really well displayed here.

[00:02:38]Maybe a broken page with like latex page. You can see a WordPress favicon.

[00:02:42]So maybe a WordPress site. But if we were to inspect this page, you'll see something odd. Handful of things that are related to the actual site itself. A little bit of WordPress breadcrumbs, but occasionally you'll see an inserted seemingly link to preload as a script some other domain sgnahrefs.com/redandrandom.js JavaScript. It includes this here on lines 59 and 60. And it does the very same again on 73 and 74. And then even after a handful of links, it does it again on 142 and 143. Now, taking a look at this JavaScript, uh, it's that. So, you know, JavaScript, I don't like dealing with JavaScript. I don't really want to. So, we're going to throw this into Webrack and see if it can deobuscate any of this nonsense. I don't think it'll do a super good job, but it'll give us something. You can see this barely cleaned it up, but there is a still a giant blob of what looks like base 64 data and then some character codes that were at the top, but at the very bottom it kind of decorates all this and stages it and then ultimately calls some sort of function. So, let's just see if we can sort of kind of recreate it by letting this run in sort of our own console here, just the parts and pieces before calling up a function.

[00:04:02]I pasted this all in and now we'll be able to see what that last sort of variable is that they keep adding on to this underscoreb97.

[00:04:12]And that is a whole lot more uh seemingly readable code. Let's try to actually display that out so that we can have all the new lines presented here.

[00:04:23]Let's copy that and I'll throw it in a Sublime Text text editor where we can set the syntax to JavaScript. And this starts to be kind of weird honestly. We could just throw this right back into WebCrack, but you could start to see some sketchy stuff that it's presumably at least adding some detection for. Hey, super quick before we go any further, please let me take just a moment to tell you about the sponsor of today's video, Vanta. Risk and regulations really are ramping up, and customers expect proof of security in order to do business.

[00:04:53]Vanta knows that's a must-have requirement. So, they synthesize compliance, risk, and customer trust all into one streamlined solution. They automate your compliance process with an AI powered platform. So, whether you're prepping for sock 2 or maintaining your GRC program, Vanta handles the hard work for you, so you can keep your business moving. Because even in the age of AI, security is still hard. It's harder than it's ever been before. And trust can make or break your business. You and your security team alongside other security leaders are juggling everything, protecting your entire organization, not to mention customer data. But while the industry is moving too fast, you still got to keep up.

[00:05:37]Vanta helps streamline and safeguard your security program. Companies like Ramp and Writer spend 82% less time on audits with Vant. They're trusted by tens of thousands of companies to unify risk, compliance, and trust. In fact, they're the number one rated GRC product on G2 reviews, a leader in the IDC market space, and they've been recognized by Fast Company and Forbes for innovation. The Vanta Agentic Trust platform plugs into your existing infrastructure, so you have a continuous single source of truth. It flags the issues that actually need attention and automates everything else so you aren't bogged down. That's Vanta, a solution to enable your trusted security program.

[00:06:20]Don't get stuck trying to prove it. Get out from under it and stay on top of it.

[00:06:24]Vanta helps clear your path so you can grow confidently and stay ready for anything. You can get started with Vanta with my link below in the video description. jh.live/vanta.

[00:06:35]Huge thanks to Vanta for sponsoring this video.

[00:06:39]Let's throw this itself right back into WebCrack and then see if it can clean it up a little bit better. Okay, so a handful of potential icons or assets for random different things. WeChat, WhatsApp, Zoom, WordPress, Google, and then they put together this config for an API path that has SLGNR or SLGNR refs.com. No hrefs. There wasn't the original page. Yeah, with a SLGN ahrefs.

[00:07:08]Weird. I assumed red meant for redirect and then all these things that it's trying to detect and then have some cloaking presumably. I'll turn word rap on. I presume we're looking at okay the kind of the beginning gate of a fishing kit, right? Detecting your navigator, checking if it's in what it would expect. Yeah. Ooh, even trying to check if it has some uh virtual box or VMware artifacts that it could key off of to know whether or not you're real or not.

[00:07:35]We could carve out that HTML, but I don't want to get too far trapped down this random rabbit hole of JavaScript that we just saw on that strange website. I think that API endpoint was what we were curious about. And okay, goodness, where is that in the config?

[00:07:50]What would this give us? Back again inside of our own interactive console.

[00:07:54]There we can see that gives us this URL.

[00:07:57]And presumably this could determine where it would load from. So without falling off a cliff here, we can presume from this weird random JavaScript, right, that this endpoint is probably what's going to return some serverside controllable redirect location because it does like make it look like we are going to redirect at least with just some smell of the code. Not reading this all while it is still obuscated a bit.

[00:08:22]But that bundle of random JavaScript does make this Google Ads malvertising malicious advertising scenario a little bit more feasible because it makes sense to me if it is tracking, oh, you came from that URL, it then would then inject enough of the JavaScript to actually point you towards and redirect whatever the API returned at that time, which could very well have been login.tranaudioy.com.

[00:08:48]If we were to hop over there, that is Bing Signin. Granted, it's a Microsoft page, but it's fake. This is uh our landing lure, right? This is where presumably they would want to go ahead and uh steal your credentials, maybe, or at least guide you through enough of the process that you're providing username and password. But this looks awful, right? What the heck? Let's just fill in nonsense here. A at a.com. Password is the letter A, of course. Ah, but a security module is required. And we need to install the Microsoft security module on this device. So, let's download that.

[00:09:25]To complete the installation, you just have to run the installer you downloaded and then return to this screen. Oh, I like the trickery here. They don't let you click this button and they say if the installer didn't start, return to the previous step and try again. Yeah.

[00:09:36]Okay. So, the file that that downloads is hilariously called Microsoft.bat.

[00:09:42]And that.bat bat is a bad extension for like a batch script or running a sequence of cmd.exe or command prompt commands. Some boilerplate here. You can see the at@ echo off to disable a lot of command output. Set local enable delayed expansion to use exclamation points to indicate variables and have some extra perks when trying to call functions here. Set some variables for max retries, retry count, a label here to retry. So, it's probably going to loop, of course, trying over and over and over again, where it of course uses PowerShell, bypass execution policy, and run a command. And it's neat they're using the carrots to add new lines even within batch. But obviously, we end up reaching out to this IP address and grab some strange text file and then execute it withex as code after, of course, we download it with IRM. These are PowerShell aliases, right? IRM to invoke REST method or retrieve some information from a website. and thenex to invoke expression. That's basically eval to run more code while it's provided first as text or as a string. So whatever this website displays this endpoint from that strange IP address will be executed on your computer. So let's try to go see what that is and what it would contain.

[00:10:56]And presumably it will be more PowerShell code, right? because PowerShell is the one invoke rest method retrieving it and downloading it and then ex invoke expression to actually run it. Will this connect? Is it still online? Yep. Do it anyway. I know we got to be over HTTP. So that IP address is not responding right now, but thankfully I had gotten to this previously and I saved a lot of the payloads and we could see what this stage two would have been.

[00:11:23]Of course, more PowerShell. So let's set the syntax there. And this is doing some strange stuff, right? Hey, we're using ad type to be able to get some managed assembly, manage code, and we'll want to grab some wind32 API functions like show window and get console window. And that's kind of clever because they end up using that, right? The name space being the letter H and the sort of module that they're calling this thing is as W. So they could reference from that the show window function and then actually get the console like PowerShell the window as it is open and then hide it like don't show the window which is funny. And then it goes ahead and stages this skull.ext F variable so that it could go grab it, determine if it exists or not. And if it doesn't, it will go ahead and create it being the directory or the place for it. That D variable was of course the split path. So it's creating the directory first. And then it will download this file ah from the same IP address a script.php PHP and then execute that with the amperand and PowerShell to denote we'll run it and as a script block type all of the contents that were stored in that f variable where it was downloaded to. So that is our stage three if we want to call it with the site being down. Thankfully again, I do have this staged already that defines a giant GS variable, which is a lot of base 64 nonsense blob of some sort of data. But then a couple other variables like Q and N that look like they're going to be used for a smidge of crypto. You can see that those are decoded from B 64. Then they grab an AES object, take out the key, the initialization vector, and the mode, and then they decrypt that. the final variant that they have here, HX, they once again use ieex to invoke expression. So that would after it's decrypted get us to stage four. And we could throw this into Cybershift if we really wanted to. But ultimately, since this is just PowerShell code, we could grab everything before the ex so we don't detonate this or run the next stage ourselves. But then we could just let the code unravel itself. Just to be on the safe side here, I am going to work inside of a virtual machine. We'll open up PowerShell just so we could have the interpreter. And once that stage, we'll go ahead and paste all of this in.

[00:13:34]We should probably have done that as a script so we don't have to watch all that scroll, but anyway, it craps it out. Now we'll have this hex variable that we could go ahead and explore. And there's more code. So this is our stage four. Uh PowerShell error action preferences to stop. So it will just bail out if anything were to go wrong.

[00:13:51]We do have an installer URL to a hosting. ipusp.com and that I'm going to assume that's probably stage five or our final payload, right? But look at these comments. Um, a language that I don't speak, so I'm curious if you in the comments have any uh insights. But look, tracking a logged user, getting the explorer and uncovering the oh loggedin user via explorer process. That's kind of neat. Uncovering it a bit more. But then they stage a public path for C users public svn. I feel like I need to run PowerShell code through Google Translate. I've never had this predicament before. Puts it in a random number and then uh goes to probably oh yep stage a setup exe based off some of the date values. Downloads that installer and then tries to run it ooh with ino setup and a couple of the arguments here to uh stage what it will do. Inno setup is one of those well-known types of installers. It's pretty easy, but they end up then creating a scheduled task and then once it is successfully installed, um, it cleans things up. Neat though, that it has a flag file or something to kind of indicate the fact that like, okay, this already ran now from your app data directory, local app data, and then a machine counter. So then we could check as to whether or not it works. Okay. And it prepares some information to notify further C2 to indicate what host name, what username, what country, and what time uh they infected that host. Okay.

[00:15:26]Is this thing still up? This was the alleged C2 thing. But how about that installer? That's still up. That's still up. So to look a little bit further now I am going to open up remnux the reverse engineering malware Linux distribution and I downloaded the installer.exe exe and that is if we were to just simply take a look at the strings there. Do we see any indicators of Ino grip app I ino setup? Yeah. So you can use tools like ino extract and a whole lot of other things to be able to explore those but that might not work the best on that version. So I am actually going to hop back to Windows and we can use the ino unpacker and that's just a guey application that tries to combine the uh ino unpack uh that has some versions up to 6.1 and I guess there was another unic code version that's up to 6.72.

[00:16:24]So we should be able to get this one and at risk of you know downloading and installing random things at least we're a virtual machine. Let me run our Ino unpacker that I have installed and set up. And I have opened the installer.

[00:16:37]Puts in a default directory of local app data helper tools. And the general information is just that the file listing gives us a lot of strange things. ConnectVVPN.exe a package MSI installer send rpt and tortoise stuff. Tortois blame tortois merge tortoise plink tortoise proc tortois dub tortois svnh and a website URL and then the uh inos setup install script default language is English verify I think everything is fine yeah okay so we could just extract these now couldn't we yeah let's put them on our desktop in an extracted folder let's create that now it has extracted it and we have that directory here so the install script is probably everything that we've at least already noted I like that. Uninstallable. No.

[00:17:27]Lowest privileges required. Wizard style. And then all the files that are included here. And then it does add into the registry. Oh, a run key to run Tortois SVM, but specifically Tortois Blame.exe.

[00:17:42]Um, okay.

[00:17:45]What else is in the files here? Auto list. I don't know what that is supposed to be. These look like regular expressions for files, but I don't know if that's for tortoise svn things. If this is a legitimate program, there's a package. There's all this stuff. Uh, let me run website. Okay. Yeah, tortoise svn. SVN sub version was like clicking in my brain, but I didn't know like this is is this backdoor? Is this malicious?

[00:18:12]Where is tortoise blame? Tortoise blame.

[00:18:15]Who changed which line when and why? Is there a way to download this thing?

[00:18:19]because I want to like compare and contrast what is different between what this malicious track gave us versus what the actual software is. That's probably all in I guess the original package, right? Oh, what version do we have? I guess we can look at the DL, right?

[00:18:33]Would that show us a version that is signed details 1.14.9 presumably? Uh 1.14.9. Cool. We're probably 64bit because I see the other 32bit things eluded there. Let's download that. Oh, but that's an MSI, not the Ino package.

[00:18:53]Is that the same as our original package? Cuz that's an MSI. Let me try to install the real Tortoise SVN and then we can uh look at what the malicious one would be doing in like a dynamic sandbox. How about that? Okie dokie. Would that have actually installed things into Tortois SVN? Okay, that still includes auto list and connectVPN and the stuff that we thought we saw coming from. Okay, and package.

[00:19:20]So, this is like literally a bundled up but presumably back door rendition of genuine Tortoise SVN. But what are they hitting with blame? Why does that happen? Why do they trigger that specifically? Let me try and put these side by side. We have malware on the left and we have uh legitimate software on the right. Ooh, this actually stands out like a sore thumbnail. Look at the timestamps on all of these. 2024, 2024, 2024, 2024, everything. But then this one obviously you could see it sort of offset the package and that is on 2025.

[00:19:50]So it's got to do some like DL side loading likely just with that I think maybe. I mean obviously this is just speculation. We haven't tested or looked at any of that. But everything else is 2024 except for aha VC runtime. And that would totally be uh pulled into it just as well. But these are from real Microsoft. Like those are all signed.

[00:20:10]They don't look like they would be tampered with. Realistically, we should probably like run Promon or some CIS internals tools to be able to see what is it loading and is it any different from what the malicious one would load.

[00:20:21]But to speedrun for the sake of a YouTube video, let's just throw ahead and chuck this into a dynamic sandbox.

[00:20:27]I'll put this in the desktop. We can crank it up to run for a long long time and do it. But here we go. We see tortois blame firing off already. So see why and how does this tortoislame.exe exe trigger, but it's in app data local helper tools as expected. I'm assuming this is going to be different than what the actual Tortois SVN utility is. It's thinking it's finding confuser connecting to websockets. Oh, yeah.

[00:20:54]Okay, that's strange. Probably not something that uh actual subversion software does, but it's making some connections right now, isn't it?

[00:21:02]Tortoise blame going to random IP address that domain main.webcratos.dns.

[00:21:08]ddns toguru.com. Is that normal? What did that return? That's HTTP. Okay, so it was a redirect or trying to upgrade a websocket and then it redirected. So it said go to page that that why I would hope this is not what actual tortoise blame does. But that one's trying to reach out to that and actually start a websocket. Is that like using a websocket for command and control? Cuz that's kind of neat. Hey, sorry John from the future here. Uh, I was editing this video and you might have seen the text overlay because I felt bad. I didn't run this to ground and I missed what was the smoking gun that would lead to kind of the end and the final payload of this malware. We got to see it within any run a little bit, but I missed it while we were going through this. It is this CRHNDL.dll.

[00:21:56]Now that is present in the actual application but if we take a quick look at the properties of this one you can see that that one is actually signed and that has the correct time stamp of uh November 2024 and that file size is like what 201 kilobytes over here on the malware side we take a quick look because all the other things that we're looking at were like legitimately signed Microsoft DLS for probably net stuff but this CRHhndl in the malicious package is not signed and obviously that has a different time stamp. You can see the May 24th. So just as this campaign was probably kicking off and a much larger file size. So there we go. We found it. That is the DLL side loading DL hijacking however you want to call it. One of these libraries in the files that actual TARDIS or tortoise blame right would end up loading is going to pull in this file. But now that this has been replaced inside of the malicious package, it loads their malware. Really funny. As you hover over it, it's pretty clear this is web client DLL of web Kratos. And that is while we could look at it in detected easy pe studio or whatever. I just like to use the file command. It is a net assembly. So we could just as easily open it in like dn spy spy. Peak. And here it is in peak.

[00:23:15]And let me tell you, it's again pretty egregious. Web Kratos client library DL build for native host integration. And if we go take a look at all of these parts and pieces here, the web Kratos client, let me look at that bootstrap class here. You can see kind of outright that is that websocket command and control. But you'll notice all of these little functions, everything that it's trying to work with here, uh, peak cannot decompile. Another interesting constant string here in case that's of any uh indicator or compromise for us. A lot of these other classes as we would start to explore them. Oh, and there was a heck of a lot more in client core.

[00:23:54]Capture mode, clipboard helper, input simulator, keyboard hook, and screen capture. That was what anyone was tracking. Of course, the websocket connector. Here's the thing. I am not really all that well able to drill down into each of these. Even if we were to try and look at it in like Ilspy, I opened it up here just to see a lot of these others. If we were to expand them, you probably already caught it even just in the assembly definition. And you can see these like gross, super obfuscated, completely mangled and unreadable Unicode shenanigans. Look at this.

[00:24:28]Confused by confuser core. So it is using confuser confuser X to be able to totally obiscate and mangle that binary.

[00:24:36]Now, this is not a video in trying to reverse engineer and deoffuscate confuser X uh because it's already long enough, but we found it. We tied it all together and now we've at least definitively Okay, tracked down. Yeah.

[00:24:47]Okay, that's malware. If we weren't sure before, we're sure as heck sure now. Is that like using a websocket for command and control? Cuz that's kind of neat.

[00:24:55]What is that page? So, going to the websocket client page. Obviously, it's going to whine, but uh um is that a thing? Is this supposed to exist? I should have put two and two together to uh search for that because it looks like Kratos uh no before has some inside out about a fishing kit or a fishing as a service kit and that's sort of recent, right? February at least of 2026. Do we see anything that ties it to the same sort of thing that we have seen? Yep. Yep. Yep. Yep. Yep. fishing, social engineering, fishing emails. Oh, the Kratos administrative interface.

[00:25:34]This looks a lot like kind of what we landed on, didn't it? Doesn't it? Like, it's not identical, but it looks like it. Okay, I got to stop recording. This has been a long enough video, but thanks so much for watching. Hope you enjoyed.

[00:25:46]Hope you learned some tricks along the way. Please do all those YouTube algorithm things. Like, comment, subscribe, and please do give some love to our sponsor. Huge thanks for all their support. There's a link below in the video description. See you in the next