Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

Google Ads

One of the campaigns used by the developing threat activity cluster to distribute various post-compromise payloads, including the recently discovered Royal ransomware, was found to be using Google Ads.

Microsoft is tracking the group under the name DEV-0569 after discovering the updated malware delivery method toward the end of October 2022.

It is known that the threat actor uses misleading advertisements to direct unsuspecting victims to malware downloader links that pretend to be software installers for legitimate applications like Microsoft Teams, LogMeIn, Adobe Flash Player, and Zoom.

The malware downloader known as BATLOADER is a dropper that serves as a conduit for the distribution of subsequent payloads. It has been observed to share similarities with ZLoader, another malware.

Malware Persistence

eSentire and VMware’s BATLOADER highlighted the malware’s stealth and persistence, as well as its use of SEO poisoning to entice users to download it from compromised websites or domains created by attackers.

Phishing links, on the other hand, are distributed via fake forum pages, blog comments, spam emails, and even contact forms on the websites of organizations that are being targeted.

infection chains utilizing PowerShell and batch scripts that, in the end, resulted in the download of malware payloads such as information stealers or a legitimate remote management tool that 

A tool known as NSudo is also used to launch programs with elevated privileges and weaken defenses by adding values to the registry that are meant to disable antivirus software.

The company pointed out that the use of Google Ads to selectively deliver BATLOADER indicates a diversification of the DEV-0569’s distribution vectors, allowing it to reach more targets and deliver malware payloads.

It also puts the group in a position to act as the first access broker for other ransomware operations, joining the likes of Emotet, IcedID, and Qakbot.