Google Ads - Ransomware Royal

Malware distributed through Google Ads ads

Security researchers from the Microsoft Security Threat Intelligence team have issued an alert about Royal ransomware. It turns out that cybercriminals, identified by Microsoft with the name DEV-0569, use Google Ads advertising campaigns to distribute different malware including Royal ransomware.

Malvertising campaigns are used by the DEV-0569 group to trick users into downloading signed malicious executables. They do this by posting to forums, commenting on blogs, using website contact forms, and serving advertisements through Google Ads. In fact, it is “LOADER“, a malware downloader, i.e. software that, once in place on a machine, will be able to deploy malware such as Royal ransomware. BATLOADER would have similarities with another malware named ZLoader.

BATLOADER Security - TeamViewer Example

Since it is signed, BATLOADER may impersonate a legitimate installer or an update for an app like Microsoft Teams or Zoom. For example, in September 2022, Microsoft identified a fake TeamViewer-branded site used by hackers to distribute BATLOADER as a TeamViewer installer.

The American company claims that there were numerous campaigns from August 2022 to October 2022, with installers for TeamViewer, Adobe Flash Player, Zoom and AnyDesk. To harbor malware and trick users into downloading BATLOADER, hackers use sites created on domains like “anydeskos[.]com” but also GitHub and OneDrive spaces.

In his report, Microsoft specifies : “When launched, BATLOADER uses MSI custom actions to initiate malicious PowerShell activity or run batch scripts to help disable security solutions and lead to the distribution of various encrypted malicious payloads, which are then decrypted and launched with PowerShell commands.” – To disable antivirus solutions, hackers use the open-source tool Nsudo. Microsoft makes it clear that the final payload may be ransomware, in this case Royal ransomware.

Lately, Microsoft observed a malvertising campaign based on Google Ads advertisements and the Keitaro solution. Thus, cybercriminals were able to create a personalized campaign to precisely target users using Keitaro’s tracking information. Through these ads, cyber criminals can redirect users to download pages always with the aim of distributing BATLOADER.

At the end of its report, the Redmond firm mentions some recommendations to protect against these threats. The use of the SmartScreen filter in Microsoft Edge is discussed, as well as the Safe Links feature for email, Microsoft Teams and Office apps.



#Malware #distributed #Google #Ads #ads

Leave a Comment

Your email address will not be published. Required fields are marked *