New Royal ransomware uses Google ads for malvertising

Share post:

Microsoft Security Threat Intelligence has identified a developing threat activity cluster by DEV-0569 that distributes various payloads, including the recently discovered Royal ransomware, via Google Ads.

DEV-0569 conducts malvertising campaigns to disseminate links to a signed malware downloader disguised as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

Malvertising, phishing link vectors, fake forum pages, and blog comments are also used by DEV-0569. It directs users to the BATLOADER malware downloader (a dropper that acts as a conduit to distribute next-stage payloads which shares similarities with another malware known as ZLoader), masquerading as legitimate software installers such as TeamViewer, Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom, or updates embedded in spam emails.

BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in the disabling of security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands when it is launched.

The BATLOADER is hosted on domains created by the group to appear as legitimate software download sites (for example, anydeskos[.]com), as well as legitimate repositories such as GitHub and OneDrive.

In addition, the attackers impersonated legitimate software by using file formats such as Virtual Hard Disk (VHD). The VHDs also contain malicious scripts that are used to download the payloads of DEV-0569.

The DEV-0569 team used Keitaro to deliver payloads to specific IP ranges and targets while avoiding IP ranges associated with sandboxing solutions.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

Hamilton Estimates $52 Million to Rebuild IT Systems After Ransomware Attack

The city of Hamilton plans to spend $52 million over the next three years to rebuild and secure...

Avery Data Breach: Credit Card Skimmer Affects Over 61,000 Customers

Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that...

Scammed Company Ordered to Pay $190k for Fraudulent Invoice Payment

A hacker gained access to Mobius Group’s email system and sent instructions from a legitimate email address, directing...

Sneaky 2FA: A Sophisticated Attack Defeats Both 2FA and Phishing Protections

A new phishing kit, ominously named "Sneaky 2FA," has emerged, targeting Microsoft 365 users by bypassing two-factor authentication...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways