New Royal ransomware uses Google ads for malvertising

Share post:

Microsoft Security Threat Intelligence has identified a developing threat activity cluster by DEV-0569 that distributes various payloads, including the recently discovered Royal ransomware, via Google Ads.

DEV-0569 conducts malvertising campaigns to disseminate links to a signed malware downloader disguised as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

Malvertising, phishing link vectors, fake forum pages, and blog comments are also used by DEV-0569. It directs users to the BATLOADER malware downloader (a dropper that acts as a conduit to distribute next-stage payloads which shares similarities with another malware known as ZLoader), masquerading as legitimate software installers such as TeamViewer, Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom, or updates embedded in spam emails.

BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in the disabling of security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands when it is launched.

The BATLOADER is hosted on domains created by the group to appear as legitimate software download sites (for example, anydeskos[.]com), as well as legitimate repositories such as GitHub and OneDrive.

In addition, the attackers impersonated legitimate software by using file formats such as Virtual Hard Disk (VHD). The VHDs also contain malicious scripts that are used to download the payloads of DEV-0569.

The DEV-0569 team used Keitaro to deliver payloads to specific IP ranges and targets while avoiding IP ranges associated with sandboxing solutions.

The sources for this piece include an article in TheHackerNews.

Featured Tech Jobs



Related articles

Kaspersky uncovers malware targeting iPhones running iOS 15.7 and below

Kaspersky has uncovered a sophisticated malware campaign specifically designed to infect iPhones running up to iOS 15.7 through...

WordPress fixes critical Jetpack plugin vulnerability

WordPress has addressed a critical flaw discovered in the Jetpack plugin, which had the potential to enable authors...

Akamai discovers Dark Frost botnet exploiting gaming platforms

Akamai's security intelligence response team recently has alerted the general public of Dark Frost, a botnet that has...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways