Wednesday, November 30, 2022
HomeMicrosoftRoyal ransomware is spread via Google Ads campaigns

Royal ransomware is spread via Google Ads campaigns

A report from Microsoft’s Security Threat Intelligence team indicates that groups of attackers are exploiting Google Ads campaigns to spread a malware distributor. Google was warned in the crowd.

Last week, Microsoft’s Security Threat Intelligence team revealed that Royal ransomware used Google Ads in one of their attack campaigns. This ransomware, which first appeared in September 2022 and does a lot of damage, is distributed by several affiliates. Microsoft security experts have tracked the activities of cybercriminals operating under the name DEV-0569 (the publisher uses the designations DEV-#### as a temporary name given to a cluster of unknown, new or evolving threat activity). The latter especially rely on malvertising, phishing links pointing to a malware distributor pretending to be software installers or updates embedded in spam emails, fake forum pages and blog comments.

Over the past few months, several changes have been noted in the group’s distribution methods. Examples include using contact forms to spread phishing links, hosting fake installation files, and using Google Ads in one of their campaigns. Armed with these techniques, cybercriminals hope to blend in with normal advertising traffic. “These methods allow the group to potentially access a greater number of targets and ultimately achieve their goal of deploying various post-compromise payloads,” the Microsoft research team said.

Malicious advertising and phishing on the front lines

DEV-0569 activity uses signed binaries and delivers encrypted malware payloads. The group, which is also known to rely heavily on defense evasion techniques, has continued to use the open source tool Nsudo to try to disable antivirus solutions in recent campaigns. Observations also point to persistence by DEV-0569 regarding the use of malvertising and phishing for initial access. Thus, it can direct unsuspecting victims to malware download links that pose as software installers for official applications, such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The downloader, known as BATLOADER, therefore disguises itself as an installer or updater for official applications such as Microsoft Teams or Zoom. Once launched, it uses custom MSI actions to launch malicious PowerShell activity or run batch scripts to disable security solutions and deliver various encrypted payloads that are decrypted and launched with PowerShell commands. It appears that BATLOADER was hosted on domains created by the attackers and pretended to be official software download sites (anydeskos[.]com, for example) and on official repositories like GitHub and OneDrive. Microsoft says it removes verified malicious content from these repositories as it is discovered or reported.

This diagram illustrates a typical DEV-0569 infection chain. It illustrates some of the changes seen in recent campaigns between August and October 2022. (Credit: Microsoft)

The use of contact forms, a payment technique

Alternatively, phishing links are shared via spam emails, fake forum pages, blog comments, and even contact forms found on targeted organizations’ websites. In September 2022, Microsoft observed a campaign that used contact forms to deliver the DEV-0569 payload. A technique observed in other campaigns, notably the IcedID malware. In this campaign, DEV-0569 sent a message to targets using the contact form on those targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 responds with a message containing a link to BATLOADER. Microsoft Defender for Office 365 detects spoofing behavior as well as malicious links in these emails.

Malicious links in contact forms led to BATLOADER being hosted on abused web services such as GitHub and OneDrive. The installers launched a PowerShell script that issued several commands, including downloading a NirCmd command-line tool provided by freeware developer NirSoft: nircmd elevatecmd exec hide “requestadmin.bat”. If successful, the command allows the attacker to switch from local to SYSTEM administrator privileges as if running a scheduled task as SYSTEM.

Leveraging Google Ads to selectively deliver BATLOADER

It was in late October 2022 that Microsoft researchers identified a DEV-0569 malicious advertising campaign that exploited Google ads pointing to the Keitaro Traffic Distribution System (TDS). The latter offers options for customizing advertising campaigns through tracking ad traffic and filtering by user or device. Microsoft has observed that TDS redirects the user to an official download site or, under certain conditions, to the BATLOADER site. Microsoft has reported this abuse to Google, so they are aware of it and are considering taking action.

The firm says DEV-0569 will likely continue to rely on advertising and phishing to deliver payloads. Solutions such as network protection and Microsoft Defender SmartScreen can help prevent access to malware. Defender for Office 365 helps protect against phishing by inspecting the email body and URL for known patterns. Because the DEV-0569 phishing scheme abuses official services, businesses can also exploit mail flow rules to catch suspicious keywords or review general exceptions, such as those related to IP ranges and domain-level whitelists. Finally, enabling secure links to email, Teams, and Office apps can also help combat this threat.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments