On November 17, Microsoft Security Threat Intelligence tracked the activity of a threat actor known as DEV-0569 regarding the development of new tools to deliver the Royal ransomware.
Although Microsoft is still using a temporary designation ‘DEV-####’ for it, meaning they are unsure of its origin or identity, it is believed that the group consists of ex-Conti members
“The observed DEV-0569 attacks show a pattern of continuous innovation, with the regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, along with increasing ransomware facilitation,” he said. say the Microsoft Security Threat Intelligence team in an analysis.
Dating back to August 2022, the group typically relies on malicious advertising, phishing link vectors, fake forum pages, and blog comments. They also direct users to a malware downloader called BATLOADER, masquerading as various legitimate software installers, such as TeamViewerAdobe Flash Player and Zoom or updates embedded in spam emails.
BATLOADER masquerading as a TeamViewer installer
When BATLOADER is launched, it uses custom MSI actions to launch malicious PowerShell activities or run batch scripts to help disable security solutions and lead to the delivery of multiple encrypted malware payloads that are decrypted and ‘start with PowerShell commands.
BATLOADER also appears to share overlaps with another malware named Zloader. A recent analysis of the strain by eSentire and VMware noted its stealth and persistence, as well as its use of search engine optimization. (SEO) poisoning to lure users into downloading the malware from compromised websites or domains created by attackers.
In their blog entry, Microsoft security researchers mentioned some of the recently observed changes in the group’s delivery method. This includes using contact forms on the websites of organizations targeted to provide phishing links, hosting fake installation files on seemingly legitimate software download sites, and expanding their malicious advertising technique through Google Ads.
Related news
Gootloader exploits websites using SEO to spread ransomware
Google fails to remove ‘app developer’ behind malware scam
Malicious Office documents account for 43% of all malware downloads
Google Drive accounted for 50% of malicious downloads of Office documents
Research sector targeting spear-phishing attacks using Google Drive
In one particular campaign, DEV-0569 sent a message to targets using the contact form on those targets’ websites, posing as a national financial authority. When a contracted target responds via email, the threat actor responds with a message containing a link to BATLOADER, thereby luring the target into their trap.
A tool known as NSudo is also used to launch programs with elevated privileges and compromise defenses by adding registry values designed to disable antivirus solutions.
Their expansion strategy using Google Ads to spread BATLOADER, however, appears to have made the biggest difference in diversifying DEV-0569’s distribution vectors. This allowed it to reach more targets and deliver malware payloads.
“Because DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to catch suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level authorization lists,” Microsoft said.
[ad_2]
Source link
