1 min read

Microsoft Finds Threat Actor Deploying Ransomware via Fake Software Download Websites and Google Ads

Silviu STAHIE

November 22, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Finds Threat Actor Deploying Ransomware via Fake Software Download Websites and Google Ads

A threat group identified, for now, as DEV-0569 is behind a new wave of Royal ransomware and other malware deployed through phishing links, legitimate-looking repositories and even Google Ads, Microsoft has revealed.

One of the challenges threat actors face is bypassing security solutions. One way they do that is by tricking users into opening the door for them by clicking on malicious links or downloading software they shouldn't.

DEV-0569 uses all of these techniques to target users. They create phishing websites, use contact forms on targeted organizations, host installers on download sites that look like the real deal, and even serve Google Ads.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," explained Microsoft. The group, also known to rely heavily on defense evasion techniques, has continued to use open-source tool Nsudo to attempt to disable antivirus solutions in recent campaigns.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the company added.

One of the hackers’ goals is to gain access to devices inside secure networks, which allows them to deploy Royal ransomware. The group could become an access broker for other ransomware operators, basically selling the access they already have to other criminals.

The group is also expanding its reach by using Google ads, which lets them blend in with legitimate traffic.

"Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering,” the company said. "Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site."

This technique lets them deliver payloads to specific targets and IPs, bypassing IP ranges of known security sandboxing solutions.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read