Google Ads used to spread Royal ransomware by cybercriminals

Microsoft warns users about a cybercrime group using Google Ads to deliver various payloads

Google Ads used to spread Royal ransomware by cybercriminals

In late October 2022, Microsoft researchers identified a new threat actor group called DEV-0569 that was found using Google Ads to distribute various payloads, including Royal ransomware which has been recently discovered. The group behind this campaign is still unknown. Microsoft uses these DEV-#### designations as a temporary name.[1] It gives them to an unknown, developing cluster of threat activity. Once it meets the defined criteria, a DEV group is converted to a named actor.

Cybercriminals use malvertising to direct unsuspecting victims to malware downloader links that look like software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, Zoom, etc. If people proceed, a malware dropper, known as BATLOADER[2] gets into their systems. The report[3] published by Microsoft says:

When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.

Microsoft reported this to Google in the hopes it would take action. This is not the first time that cybercriminals thought of using Google Ads for malicious purposes. Previously, some scammers were using Google Ads to spread malicious links. The links directed victims to malicious web pages, which are designed to collect cryptocurrency wallet passwords. At the time, Google responded to this incident[4] by saying:

This behavior directly violates our policies and we immediately suspended these accounts and removed the ads. This appears to be a malicious actor looking for ways to evade our detection. We are always adjusting our enforcement mechanisms to prevent these abuses.

Royal ransomware demands can reach $2 million

Royal ransomware's main goal is to gain access to a victim’s system, encrypt their data, and extort a ransom to return access to any locked files. It is a quite new operation that has been around since at least the start of 2022. Victims are provided an ID and a unique Tor[5] page to visit to contact the group about payment. It is unknown if the same threat actors exploiting Google Ads developed it.

Previously, the Royal ransomware was known to use callback phishing attacks that impersonate food delivery and software providers in emails. The messages manipulated people into canceling their subscriptions by calling the provided number. The threat actors even hired a service that can answer these calls.

Then the group behind Royal ransomware would use social engineering to convince people to install remote access software, and once the initial access is gained on the corporate network, the malware gets released. This threat mainly focuses on companies. Cybercriminals demand a ransom of $250 000, and sums can come up to $2 million in the form of cryptocurrencies.

DEV-0569 will most likely continue to use malvertising and phishing campaigns

The BATLOADER malware dropper is stealthy and persistent. It uses search engine optimization (SEO)[6] to lure users to download malware from compromised websites or attacker-created domains. The phishing links are spread through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations' websites.

DEV-0569 relies heavily on defense evasion techniques. The campaign also utilizes a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are meant to disable antivirus solutions. Microsoft has provided some tips for organizations on how they can better defend themselves against this threat:

Solutions such as network protection and Microsoft Defender SmartScreen can help thwart malicious link access. Microsoft Defender for Office 365 helps guard against phishing by inspecting the email body and URL for known patterns. Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists. Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References
Files
Software
Compare