DEV-0569 group uses Google Ads to distribute Royal Ransomware

Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware.

Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware.

The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

“The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom.” reads the report published by Microsoft. “When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.”

DEV-0569 relies heavily on defense evasion techniques and employed the open-source tool Nsudo to disable antivirus solutions in recent campaigns.

The downloader, tracked as BATLOADER, shares similarities with another malware called ZLoader.

From August to October 2022, DEV-0569 attempted to spread the BATLOADER via malicious links in phishing emails, posed as legitimate installers for multiple popular applications, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk.

The BATLOADER was hosted on domains created by the group to appear as legitimate software download sites (i.e. anydeskos[.]com) and on legitimate repositories like GitHub and OneDrive.

The attackers also used file formats like Virtual Hard Disk (VHD) posing as legitimate software. The VHDs also contain malicious scripts used to download DEV-0569’s payloads.

“DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network,” continues the report. “The management tool can also be an access point for the staging and spread of ransomware.”

In late October 2022, Microsoft observed a malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which allows to customize advertising campaigns via tracking ad traffic and user- or device-based filtering. The TDS was used to redirect the user to a legitimate download site, or under certain conditions, to the site hosting the BATLOADER.

The DEV-0569 group used Keitaro to deliver the payloads to specified IP ranges and targets and of course to avoid IP ranges known to be associated with sandboxing solutions.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as Emotet, IcedID, Qakbot.

“Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.” concludes the IT giant. “Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-0569)

[adrotate banner=”5″]

[adrotate banner=”13″]