November 21, 2022

Microsoft Security Threat Intelligence has identified a developing threat activity cluster by DEV-0569 that distributes various payloads, including the recently discovered Royal ransomware, via Google Ads.

DEV-0569 conducts malvertising campaigns to disseminate links to a signed malware downloader disguised as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

Malvertising, phishing link vectors, fake forum pages, and blog comments are also used by DEV-0569. It directs users to the BATLOADER malware downloader (a dropper that acts as a conduit to distribute next-stage payloads which shares similarities with another malware known as ZLoader), masquerading as legitimate software installers such as TeamViewer, Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom, or updates embedded in spam emails.

BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in the disabling of security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands when it is launched.

The BATLOADER is hosted on domains created by the group to appear as legitimate software download sites (for example, anydeskos[.]com), as well as legitimate repositories such as GitHub and OneDrive.

In addition, the attackers impersonated legitimate software by using file formats such as Virtual Hard Disk (VHD). The VHDs also contain malicious scripts that are used to download the payloads of DEV-0569.

The DEV-0569 team used Keitaro to deliver payloads to specific IP ranges and targets while avoiding IP ranges associated with sandboxing solutions.

The sources for this piece include an article in TheHackerNews.