A group of ongoing threat activities were found using Google Ads in one of their campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.
Microsoft, which detected the updated malware delivery method in late October 2022, is tracking the group under the name DEV-0569.
“The observed DEV-0569 attacks show a pattern of continued innovation, with new discovery techniques, defense evasion, and various post-compromise payloads being periodically improved, along with increased ransomware facilitation,” said the security team at Microsoft. Threat intelligence in an analysis.
The threat actor is known to rely on malvertising to direct unsuspecting victims to malware download links posing as software installers for legitimate applications such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.
The malware downloader, a strain known as BATLOADER, is a dropper that works as a conduit to distribute payloads for the next stage. It has been observed to share overlays with another malware called ZLoader.
A recent analysis of BATLOADER by eSentire and VMware highlighted the malware’s stealth and persistence, as well as its use of search engine optimization (SEO) poisoning to lure users into downloading the malware from compromised websites or domains. created by attackers.
Alternatively, phishing links are shared via spam emails, fake forum pages, blog comments, and even contact forms present on the websites of the targeted organizations.
“DEV-0569 has used several infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads as information stealers or a legitimate remote administration tool used for network persistence,” it said. . the tech giant.
“The administration tool can also be an access point for the staging and spread of ransomware.”
A tool known as NSudo is also used to start programs with elevated privileges and weak defenses by adding registry values that are designed to disable antivirus solutions.
Using Google Ads to selectively deliver BATLOADER marks a diversification of DEV-0569’s distribution vectors, allowing it to reach more targets and deliver malware payloads, the company noted.
It further positions the group to serve as the initial access broker for other ransomware operations, joining malware such as Emotet, IcedID, Qakbot.
“Since the DEV-0569 phishing scheme abuses legitimate services, organizations can also take advantage of mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and allow lists.” . domain,” Microsoft said.
