Chris Swagler | December 14th, 2022

A new threat group is breaking into networks and encrypting them with file-locking malware before demanding ransom from victims. In September, the Royal ransomware group first emerged being distributed by numerous threat groups; however, according to threat intelligence, one is exhibiting a pattern of continuous innovation in distributing and hiding payloads, often after victims’ networks have been encrypted.

The attacks, which were carried out in various ways, are connected to a group known as DEV-0569, a temporary name because the origin and the group’s identity behind the operation remain unknown. Some campaigns use a method usually associated with cyberattacks to deliver Royal ransomware; phishing emails with a malicious attachment carrying Batloader backdoor malware used to download the ransomware payload. The Royal ransomware threat operators don’t just utilize phishing to deliver the initial payload. The ransomware is distributed through emails containing links appearing to be legitimate installers and updates for regularly used company applications. The backdoor is installed when the fake updates are downloaded, and it’s utilized to spread malware.

Using contact forms to access targets and deliver malware is one of the more unusual techniques. DEV-0569 isn’t the first ransomware operation to utilize attacks in this manner. The attack method is unusual and one that defenders may overlook. Threat operators send messages to targets through contact forms on targets’ own websites, posing as representatives from a national financial authority. If victims respond to the messages, threat operators reply again and attempt to trick victims into clicking links that will install Batloader. Threat operators have been recently observed using Google ads to assist in delivering malware using ‘malvertising’ links, allowing threat operators to watch which users and devices click links. The connections are used to find possible targets and distribute the Batloader payload.

DEV-0569 has been alleged to have carried out hands-on, human-operated attacks to install ransomware in addition to malvertising and phishing links, gaining access to victims’ networks by exploiting vulnerabilities and remote access tools to download the Royal payload manually. According to researchers, DEV-0569’s widespread infection base and diverse payloads is making the group an appealing access broker for ransomware operators, meaning that even though they did not install their own ransomware, they can sell network access to ransomware operators and other malicious cyber-threat groups.

Additionally, threat operators have been seen utilizing open-source tools to disable antivirus software, making it more difficult for their malicious activities to be discovered. The group is expected to continue breaching networks using various methods. Fortunately, there are steps companies can take to avoid falling victim to these cyberattacks. Among the steps includes building resilience against email threats by educating users on spotting social-engineering attacks and preventing malware infection and providing users a way for reporting suspected attacks.

Companies are advised to practice the concept of least privilege and maintain credential hygiene, meaning only giving account users the access they require to accomplish their work, and ensuring the accounts are secured with strong passwords and multi-factor authentication. The measures can aid in preventing threat operators from entering and navigating networks.

Additionally, companies need to always remain vigilant on the current threat landscape and train their employees to identify potential phishing emails with malware attachments. At SpearTip, our certified engineers will examine companies’ security posture to improve the weak points in their networks. Our team will engage with companies’ people, processes, and technology to measure the maturity of the technical environment. Our experts will provide companies with a technical roadmap ensuring they have the awareness and support to optimize their overall cyber security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.