A threat group identified, for now, as DEV-0569 is behind a new wave of Royal ransomware and other malware deployed through phishing links, legitimate-looking repositories and even Google Ads, Microsoft has revealed.
One of the challenges threat actors face is bypassing security solutions. One way they do that is by tricking users into opening the door for them by clicking on malicious links or downloading software they shouldn't.
DEV-0569 uses all of these techniques to target users. They create phishing websites, use contact forms on targeted organizations, host installers on download sites that look like the real deal, and even serve Google Ads.
"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," explained Microsoft. The group, also known to rely heavily on defense evasion techniques, has continued to use open-source tool Nsudo to attempt to disable antivirus solutions in recent campaigns.
"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the company added.
One of the hackers’ goals is to gain access to devices inside secure networks, which allows them to deploy Royal ransomware. The group could become an access broker for other ransomware operators, basically selling the access they already have to other criminals.
The group is also expanding its reach by using Google ads, which lets them blend in with legitimate traffic.
"Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering,” the company said. "Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site."
This technique lets them deliver payloads to specific targets and IPs, bypassing IP ranges of known security sandboxing solutions.