Since the start of 2023, there has been a surge in the incidents of malware downloads via Google Ads at several Japanese companies. The culprit behind these attacks is a group known as SteelClover. This group has been active since at least 2019 and is primarily focused on stealing money.

SteelClover has been observed to run multiple attack campaigns using malware such as Batloader, DEV-0569, and Water Minyades. In addition to information theft, these attacks have also been reported to lead to ransomware execution.

The security experts categorize SteelClover attacks into five different campaigns, and as of February 2023, BatApp and FakeGPG campaigns are the most recent ones observed. The group is known to be highly active, with several spikes reported in Japan, particularly since early January 2023.

SteelClover is an evolving threat, with the group updating their attack methods on a daily basis. The attack flow is also changing constantly, but the most recent attack was observed in the FakeGPG campaign in early February 2023.

In this campaign, SteelClover uses Google Ads to lure victims. The ads are displayed at the top of the search results page when a user searches for certain keywords on Google. The group targets users who search for the names of well-known software, with malicious ads redirecting users to SteelClover’s malicious file distribution site. These malicious ads are often displayed higher than legitimate sites, increasing the chances of a user accidentally accessing them.

The malicious file distribution site is designed to look almost identical to a legitimate site and is created by copying it. Once the user clicks the download button, they inadvertently download the malicious file.

SteelClover is a persistent and evolving threat that is actively targeting Japanese companies via Google Ads. It is crucial for individuals and organizations to be vigilant and take the necessary precautions to protect themselves from these attacks.