Microsoft warns hackers are using Google Ads to spread Royal ransomware

Posted by Insightz Technology, 05-03-2023

An evolving threat activity cluster was found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the recently discovered Royal ransomware.

Having discovered an updated malware delivery method in late October 2022, Microsoft tracks this group under the name DEV-0569.

"Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation," According to the analysis of Microsoft Security Threat Intelligence team.

Attackers have been known to use malvertising to alert unsuspecting victims to malware downloader links masquerading as software installers for legitimate apps such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

A malware downloader called BATLOADER is a dropper that acts as a channel to distribute the next stage payload. An overlap with another malware called ZLoader has been observed.

A recent analysis by BATLOADER, conducted by eSentire and VMware, shows that malware uses stealth and persistence, as well as search engine optimization (SEO), to trick users into stealing malware from compromised websites or attacker-created domains. It turned out to download malware.

"DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network," the tech giant noted.

"The management tool can also be an access point for the staging and spread of ransomware.”

Also applied is a device referred to as NSudo to release applications with extended privileges and impair defenses through including registry values which might be designed to disable antivirus solutions.

Using Google Ads to selectively deliver BATLOADER shows the diversification of DEV-0569's propagation vector, allowing it to reach more targets and deliver its malware payload, they said. the company points out.

The group also acts as an initial access broker for other ransomware operations, allowing malware such as Emotet, IcedID, and Qakbot to participate.

"Since DEV-0569's phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists," Microsoft said.

Interested in the article?