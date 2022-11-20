



Microsoft warns that an actor tracked as DEV-0569 is using Google Ads to distribute the recently discovered Royal ransomware.

Researchers from the Microsoft Security Threat Intelligence team have warned that the threat actor tracked as DEV-0569 is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware.

The DEV-0569 group ran malvertising campaigns with links to signed malware downloaders masquerading as software installers and fake updates embedded in spam messages, fake forum pages, and blog comments. spread the

“A malware downloader known as BATLOADER, a malicious file masquerading as an installer or updater for legitimate applications such as Microsoft Teams and Zoom.” Read the report published by Microsoft. “When launched, BATLOADER can use MSI custom actions to launch malicious PowerShell activities, run batch scripts to assist in disabling security solutions, and various other malware that are decrypted and launched with PowerShell commands. deliver encrypted malware payloads.”

DEV-0569 relies heavily on defense evasion techniques, with recent campaigns using the open source tool Nsudoto to disable antivirus solutions.

The downloader tracked as BATLOADER has similarities to another malware called ZLoader.

Between August and October 2022, DEV-0569 launched BATLOADER via malicious links in phishing emails masquerading as legitimate installers for several popular applications, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. tried to spread

BATLOADER was hosted on a domain created by the group to appear as a legitimate software download site (i.e. anydeskos).[.]com) and in legitimate repositories such as GitHub and OneDrive.

The attackers also used file formats such as virtual hard disks (VHDs) disguised as legitimate software. The VHD also contains a malicious script used to download the DEV-0569 payload.

“DEV-0569 used a variety of infection chains using PowerShell and batch scripts, ultimately ending up with malware such as information stealers and legitimate remote administration tools used for persistence on the network. It led to a payload download,” the report continues. “Management tools can also be access points for staging and spreading ransomware.”

In late October 2022, Microsoft observed a malvertising campaign utilizing Google Ads pointing to the legitimate traffic distribution system (TDS) Keitaro. Keitaro enables ad campaign customization through ad traffic tracking and user or device-based filtering. TDS was used to redirect users to legitimate download sites and, under certain conditions, to sites hosting her BATLOADER.

The DEV-0569 group used Keitaro to deliver payloads to specified IP ranges and targets, and of course avoided IP ranges known to be associated with sandboxed solutions.

Additionally, it joins malware such as Emotet, IcedID, and Qakbot, positioning the group to act as an initial access broker for other ransomware operations.

“Because DEV-0569’s phishing scheme exploits legitimate services, organizations should leverage mail flow rules to catch suspicious keywords and create broad exceptions, such as those associated with IP range or domain-level allow lists. You can also check it.” concludes the IT giant. “Enabling Safe Links in email, Microsoft Teams, and Office apps also helps combat this threat.”

Pierluigi Paganini

(SecurityAffairs hack, DEV-0569)

