Microsoft Finds Threat Actor Deploying Ransomware via Fake Software Download Websites and Google Ads
A threat group identified, for now, as DEV-0569 is behind a new wave of Royal ransomware and other malware deployed through phishing links, legitimate-looking repositories and even Google Ads, Microsoft has revealed.
One of the challenges threat actors face is bypassing security solutions. One way they do that is by tricking users into opening the door for them by clicking on malicious links or downloading software they shouldn't.
DEV-0569 uses all of these techniques to target users. They create phishing websites, use contact forms on targeted organizations, host installers on download sites that look like the real deal, and even serve Google Ads.
"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," explained Microsoft. The group, also known to rely heavily on defense evasion techniques, has continued to use open-source tool Nsudo to attempt to disable antivirus solutions in recent campaigns.
"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the company added.
One of the hackers’ goals is to gain access to devices inside secure networks, which allows them to deploy Royal ransomware. The group could become an access broker for other ransomware operators, basically selling the access they already have to other criminals.
The group is also expanding its reach by using Google ads, which lets them blend in with legitimate traffic.
"Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering,” the company said. "Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site."
This technique lets them deliver payloads to specific targets and IPs, bypassing IP ranges of known security sandboxing solutions.
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022