Google ads lead to fake software pages pushing IcedID (Bokbot)
By SANS Internet Storm Center
Archived: 2026-04-02 11:53:37 UTC
Introduction
Fake sites for popular software have occasionally been used by cyber criminal groups to push malware.  Campaigns pushing
IcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent
through email).
This week, a new round of reports appeared about Google Ads leading to a new sites pushing IcedID.
https://infosec.exchange/@bencrypted/109508166164779496
https://infosec.exchange/@th3_protoCOL/109513090531163473
Based on these reports, on Wednesday 2022-12-14, I fired up my lab environment and did a Google search for AnyDesk and
got a Google ad as my top result.  Although the Google ad showed a legitimate AnyDesk URL, it led to a fake site after I
clicked the ad.
Today's diary reviews my IcedID infection from this fake AnyDesk site.
Details
Shown above:  Search results when I did a quick Google search for AnyDesk.
Search Engine Optimization (SEO) is a technique that websites use to increase their visibility for search engines like
Google.  Cyber criminals occasionally use SEO to direct search traffic to malicious advertisement links.  These ads redirect
users to fake software sites based on specific search terms.  I've heard this technique referred to as "SEO poisoning."
The above image shows the top search results after I typed anydesk into Google search.  The top result is a Google ad for
AnyDesk, which shows a legitimate URL for the official AnyDesk site.
I clicked on the ad, and it generated the following Google Ad Services URL:
hxxps://www.googleadservices[.]com/pagead/aclk?
sa=L&ai=DChcSEwjh1bP_3_n7AhXbFdQBHdF9AqwYABAAGgJvYQ&ohost=www.google.com&cid=CAASJeRovgWCSOUdKVM_De2wE7MnzlxJn
Lks&sig=AOD64_3NZNQWkb8O_B18hKIs9Q3klfDfBw&q&adurl&ved=2ahUKEwjHl6v_3_n7AhVrkmoFHdIpAG4Q0Qx6BAgDEAE&nis=8
That generated the following URL:
hxxps://clickserve.dartsearch[.]net/link/click?&ds_dest_url=https://oferialerkal[.]online/81HqPxz2?
https://anydesk.com/en/features/unattended-access&id=4&gclid=EAIaIQobChMI4dWz_9_5-
wIV2xXUAR3RfQKsEAAYASAAEgLqA_D_BwE
This led to a URL from a malicious traffic distribution system (TDS) domain oferialerkal[.]online.  These malicious TDS
domains frequenty change multiple times each day.  The above URL generated HTTPS traffic to oferialerkal[.]online,
which then led to the following fake AnyDesk URL:
hxxps://wwwanydesk[.]top/en/downloads/windows
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
Page 1 of 5

This is a fake AnyDesk page, with a button to download a malicious zip archive hosted on a Google Firebase Storage URL
at:
hxxps://firebasestorage.googleapis[.]com/v0/b/our-audio-370812.appspot.com/o/wnitFn4RCG%2FSetup_Win_14-12-
2022_18-36-29.zip?alt=media&token=3ef517f1-eb72-46bc-ac4b-3fb41f92d373
As I wrote this diary, the above URL still worked, and it delivered a the malicious zip archive.
Shown above:  Fake AnyDesk site delivering the malicious zip archive.
The zip archive contained a Microsoft Installer (.msi) file.  Double-clicking the .msi file on a vulnerable Windows host
caused it to drop and run a DLL to install IcedID on the victim's system.
Shown above:  Downloaded zip archive and extracted .msi file.
Shown above:  The installer DLL for IcedID.
Traffic from the infected Windows host
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
Page 2 of 5

Shown above:  Traffic from the infection filtered in Wireshark, part 1.
Shown above:  Traffic from the infection filtered in Wireshark, part 2.
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
Page 3 of 5

Shown above:  Traffic from the infection filtered in Wireshark, part 3.
Indicators of Compromise
Traffic generated by IcedID installer DLL for gzip binary:
143.198.92[.]88 port 80 - klepdrafooip[.]com - GET / HTTP/1.1
IcedID post-infection C2 traffic:
94.140.114[.]40 port 443 - primsenetwolk[.]com - HTTPS traffic
94.140.114[.]40 port 443 - onyxinnov[.]lol - HTTPS traffic
158.255.211[.]126 port 443 - trashast[.]wiki - HTTPS traffic
IcedID backchannel traffic with VNC:
51.195.169[.]87 port 8080
First Cobalt Strike:
176.105.202[.]212 port 80 - 176.105.202[.]212 - GET /adcs4
172.67.130[.]194 port 443 - kingoflake[.]com - HTTPS traffic
Second Cobalt Strike:
199.127.62[.]132 port 80 - 199.127.62[.]132 - GET /download/h.exe
108.177.235[.]187 port 443 - bukifide[.]com - HTTPS traffic
Sliver and/or DonutLoader:
190.61.121[.]35 port 443 - 190.61.121[.]35:443 - GET /static/ZillaSlab-Bold.subset.e96c15f68c68.woff/CEx6_0FDJn4RWxBZcsquwwUk57-
n7pCuR5k24zUnBepPlxY9gqn968ZXnXAtC2GwTONSpEx3Pnz_lvqz2c2E5B_7n2lMU3wZ7Yeqb9yK9OFsqEQnybJ3THr_uiJpi3X5yQI3puCye
MxD8EcfWPoPWF8lqYiHLRDP1rKGIpBbW
46.4.182[.]102 port 80 - post-infection TLSv1.3 HTTPS traffic
Associated malware:
Downloaded zip and extracted .msi file:
SHA256 hash: 19265aac471f7d72fcddb133e652e04c03a547727b6f98a80760dcbf43f95627
File size: 1,108,416 bytes
File name: Setup_Win_14-12-2022_18-36-29.zip
SHA256 hash: 63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607
File size: 1,966,080 bytes
File name: Setup_Win_14-12-2022_18-36-29.msi
IcedID files from an infected Windows host:
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
Page 4 of 5

SHA256 hash: 7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e
File size: 1,503,408 bytes
File location: C:\Users\[username]\AppData\Local\MSI5da0ddad.mst
File description: 64-bit DLL to install IcedID dropped by above .msi file
Run method: rundll32.exe [filename],init
SHA256 hash: 53639070024366d23c3de5ba1d074cbd1d8b9e78d46f75c32ef02fc20c279fc3
File size: 1,503,408 bytes
File location: hxxp://klepdrafooip[.]com/
File description: gzip binary from klepdrafooip[.]com retrieved by IcedID installer DLL
SHA256 hash: 205fbc52fafd456388d3ef80ff00498c90295791a91811725fea94052dc4fe7a
File size: 364,202 bytes
File location: C:\Users\[username]\AppData\Roaming\GenreAttract\license.dat
File description: Data binary used to run persistent IcedID DLL
Note: First submitted to VirusTotal on 2022-11-08.
SHA256 hash: bfa3eb36beeaa65334abe81cdd870e66b37da3e478d1615697160244fd087b48
File size: 1,499,312 bytes
File location: C:\Users\[username]\AppData\Roaming\{12A3307B-B372-BBC6-7E4B-4992C7C7842B}\{6127EF7F-696C-8BDF-5350-88ECC5774CA5}\uwurtb4.dll
File description: persistent IcedID DLL
Run method: rundll32.exe [filename],init --tu="[path to license.dat]"
Cobalt Strike files:
SHA256 hash: 7486c3585d6aa7c2febd8b4f049a86c72772fda6bd1dc9756e2fb8c5da67bafa
File size: 1,894,758 bytes
File location: htxxp://176.105.202[.]212/adcs4
File description: PowerShell script for first instance of Cobalt Strike activity
SHA256 hash: e8f2c929e1b84a389fede03bff9a4ee951cf563a64809b06f2f76201536fddf7
File size: 1,001,472 bytes
File location: hxxp://199.127.62[.]132/download/h.exe
File location: C:\Users\[username]\AppData\Local\Temp\Dimuak.exe
File description: 64-bit EXE for second instance of Cobalt Strike activity
Sliver and/or DonutLoader:
SHA256 hash: 40194a07a5afa1ef8e0ea4125a62d4ff5b70a14849b154a4694cfd08e40eb22b
File size: 17,085,660 bytes
File location: hxxp://190.61.121[.]35:443/static/ZillaSlab-Bold.subset.e96c15f68c68.woff/CEx6_0FDJn4RWxBZcsquwwUk57-
n7pCuR5k24zUnBepPlxY9gqn968ZXnXAtC2GwTONSpEx3Pnz_lvqz2c2E5B_7n2lMU3wZ7Yeqb9yK9OFsqEQnybJ3THr_uiJpi3X5yQI3puCyecatd8A
MxD8EcfWPoPWF8lqYiHLRDP1rKGIpBbW
File description: binary with shellcode and 64-bit EXE, for Sliver-based and/or DounutLoader malware
SHA256 hash: 08dd1a4861f4d2b795efb71847386bd141caa0a7ce141798e251db8acd63d3a9
File size: 17,081,991 bytes
File description: above binary with shellcode removed
File type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Final words
We'll likely continue to see criminal groups abusing Google ads through SEO poisoning and using fake websites to
impersonate popular software.  This is an effective way for criminals to distribute their malware.
Traffic and malware samples from today's infection are available here.
Brad Duncan
brad [at] malware-traffic-analysis.net
Source: https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344
Page 5 of 5

https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344   
Shown above: Traffic from the infection filtered in Wireshark, part 1.
Shown above: Traffic from the infection filtered in Wireshark, part 2.
   Page 3 of 5