Abuse of Google Ads Leads to Ransomware Attacks

Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: BleepingComputer

The abuse of online advertisements masquerading as legitimate software is a common initial access vector for threat actors distributing malware. Security researchers Germán Fernández, Will Dormann, MalwareHunterTeam, and BleepingComputer, have discovered several advertising campaigns leading to the deployment of Royal and CLOP ransomware by initial access broker tracked as DEV-0569 and threat actor TA505. Fictitious pages disguise themselves as popular software utilities such as 7-Zip, WinRAR, VLC, AnyDesk, LibreOffice, FileZilla, TradingView, and even pose as IRS forms. When an unsuspecting user initiates the download of the phony software a malicious executable, script, or MSI file is downloaded to start the infection chain. Malware delivered through these campaigns has included BatLoader, Cobalt Strike, and information-stealing malware such as RedLine, Gozi/Ursnif, and Vidar. While Google does its best to remove malicious ad sites that are detected or reported, threat actors proved themselves able to outpace the rate of takedowns.

Anvilogic Scenario:

• Malicious Software Download via MSI/JS

Anvilogic Use Cases:

• MSIExec Install MSI File
• Invoke-Expression Command
• Modify Windows Defender

‍