Distributors of the IcedID malware have been abusing Google PPC ads to distribute modified DLL files that act as an IcedID loader.
When the victim searches a popular keyword, hijacked ads are used to display fake installers and lead the victims to downloads that mimic the intended search term.
Upon download and execution, the modified DLL invokes the “init” export function to spawn the loader routine.
Using the legitimate DLL’s and modifying the functions to execute the nefarious task is used to evade detection from machine learning and whitelisting technologies as well as displays the threat actor’s ability to adapt to security detection strategies.