Notice from Microsoft
The king of the software world Microsoft has warned that a Google Ads campaign is distributing compromise payloads, including the recently discovered Royal ransomware.
Microsoft detected the updated malware delivery method at the end of October 2022, it is tracking the group named DEV-0569.
The Microsoft Security Threat Intelligence team said in an analysis that the DEV-0569 attacks show a pattern of “continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, along with increasing facilitation of ransomware.”
The threat actor is known to rely on malicious advertising to target unsuspecting victims to malware download links posing as software installers for legitimate applications such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams and Zoom.
The malware unloader, a strain called BATLOADER, is a dropper that acts as a conduit to distribute next-stage payloads. It has been observed that they share overlaps with another malware called ZLoader.
A recent analysis of BATLOADER by eSentire and VMware pointed to the malware’s stealth and persistence, as well as its use of search engine optimization (SEO) poisoning to lure users into downloading the software malicious from compromised websites or domains created by attackers.
Alternatively, phishing links are shared through spam emails, fake forum pages, blog comments, and even contact forms present on targeted organizations’ websites.
“DEV-0569 used multiple infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads such as information stealers or a legitimate remote management tool used for network persistence “, the tech giant noted.
“Because DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to catch suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level authorization lists,” Microsoft said.
[ad_2]
Source link
