Ransomware access brokers use Google ads to infiltrate your network

The threat actor traced as DEV-0569 uses Google ads in large-scale and persistent advertising campaigns to distribute malware, steal victims’ passwords and eventually penetrate networks for ransomware attacks.

Over the past two weeks, cyber security researchers MalwareHunterTeamAnd German FernandezAnd Will Dorman Shows how Google search results become a Hotbed of malicious ads that drive malware.

These ads pretend to be websites for popular software, such as LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

Clicking the ads directs visitors to sites that appear as download portals or replicas of legitimate websites for the software, as described below.

However, when you click on the download links, you usually download an MSI file that installs various malware depending on the campaign.

The list of malware installed in these campaigns so far includes RedLine Stealer, Gozi/Ursnif, Vidar, and possibly Cobalt Strike and ransomware.

While there appear to be many threat actors abusing the Google Ads platform to distribute malware, there are two that stand out, as their infrastructure has previously been linked to ransomware attacks.

From Google ads to ransomware attacks

In February 2022, Discover Mandiant A malware distribution campaign using SEO poisoning to rank sites posing as popular software in search results.

If the user installs the software offered from these pages, a new malware download called BatLoader is executed, which launches a multi-stage infection process that eventually provides threat actors with initial access to victim networks.

Later that year, Microsoft reported that the threat actors behind BatLoader, tracked as DEV-0569, had begun using Google ads to promote their malicious websites. Even worse, Microsoft said that these infections eventually led to the spread of Royal ransomware on compromised networks.

“Recent activity from a Microsoft threat actor named DEV-0569, known to distribute various payloads, led to the publication of Royal ransomware, which first appeared in September 2022 and is being distributed by multiple threat actors,” Microsoft warned in their report.

Researchers believe DEV-0569 is a first-access broker that uses a malware distribution system to infiltrate corporate networks. They use this access in their own attacks or sell it to other malicious actors, such as the Royal ransomware gang.

While Microsoft has not shared many URLs related to these attacks, there are other reports from fir And And I feel Add more information, including the following URLs used in BatLoader campaigns:

bitbucket[.]org/ganhack123/load/downloads
ads-check[.]com (Used for tracking Google ads statistics)

Fast forward to January 21, 2023, when he was a CronUp researcher German Fernandez Note that recent Google ads promoting popular software have led to malicious sites using infrastructure operated by the DEV-0569 threat actor.

1/ DEV-0569, current distribution across #GoogleAds.

1.- #leather Also known as # O Lord (bot)
2.- # Red line (thief)
And if the conditions are right, they can:
3.- #CobaltStrike (c2)
4.- # Royal ransomware

(No more BatLoader in the infection chain) pic.twitter.com/mYp8hSU7FH

– German Fernandez (@ 1ZRR4H) January 21, 2023

While the malicious installers in this campaign no longer use the BatLoader, like previous campaigns Microsoft has seen, they install an information stealer (RedLine Stealer) and then a malware downloader (Gozi/Ursnif).

In the current campaign, RedLine is being used to steal data, such as passwords, cookies, and cryptocurrency wallets, while Gozi/Ursnif is being used to download more malware.

Fernandez told BleepingComputer that he linked these new campaigns to DEV-0569 as they were using the same bitbucket repository and Check ads[.]com The URL used in the reported November/December 2022 campaigns.

Fernandez didn’t wait long to see if Cobalt Strike and the Royal ransomware would be installed. However, he told BleepingComputer that he believes hackers will eventually use the Gozi infection to bring down Cobalt Strike as the BatLoader has done in previous campaigns.

Fernandez also accessed the web panel of DEV-0569 used to track the malware distribution campaign and Shared screenshots on Twitter. These screenshots showed legitimate software being spoofed and many victims around the world who were infected daily.

When asked how many people have been infected with this campaign based on web board statistics, he said that it is only possible to estimate the number.

“They clean the board data every day of the campaign, but there is data that can give us a clue, it’s the identifier associated with the records (it could be an estimated value of the number of victims of this board, in this case the last value for the day is 63576),” Fernandez told BleepingComputer.

Another campaign associated with CLOP ransomware

To make matters worse, Discover Fernandez that a different but similar Google Ads campaign was using an infrastructure previously used by a threat group traced as TA505, Known to distribute CLOP ransomware.

In this Google Ads campaign, threat actors distribute malware through websites pretending to be popular software, such as AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and, oddly enough, W-9 IRS forms websites.

The list of domains in this campaign tracked by CronUp is available at this GitHub page.

When malware from this campaign is installed, it will run a PowerShell script that downloads and executes a DLL file from the website download-cdn[.]comthat Previously used TA505.

However, the Proofpoint threat researcher Tommy Madjar He told BleepingComputer that this domain has changed ownership in the past, and it’s unclear if the TA505 is still using it.

Regardless of who owns these domains, the large number of malicious Google ads appearing in search results has become a major problem for both consumers and organizations.

With these campaigns used for initial access to corporate networks, they can lead to various attacks, such as data theft, ransomware, and even destructive attacks to disrupt company operations.

While BleepingComputer has not contacted Google regarding this article, we did contact them last week about a similar malware campaign distributed through Google ads.

Google told us at the time that platform policies are designed and enforced to prevent brand impersonation.

We have strict policies blocking ads that attempt this circumvent our app By disguising the advertiser’s identity and impersonating other brands, we aggressively enforce it. We have reviewed the ads in question and removed them,” BleepingComputer told Google.

The good news is that Google removes ads in the name of have been reported and discover it.

The bad news is that threat actors are constantly launching new ad campaigns and new sites, making it a giant game of whack-a-mole, and it doesn’t feel like Google is winning.