Threat actors are using Google Ads to spread BatLoader malware, steal victims’ passwords and ultimately breach networks for ransomware attacks. A report by security researchers MalwareHunterTeam, German Fernandez and Will Dormann details how this has recently occurred.
These malicious ads pretend to be legitimate software programs such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau and Zoom. When a victim clicks on one of these rogue ads they are taken to websites hosting fake Windows installer files that look just like legitimate applications.
Google Ads
Threat actors are employing Google Ads to distribute malicious payloads. Examples include BatLoader, which utilizes software impersonation to spread next-stage malware such as information stealers, banking malware, Cobalt Strike and ransomware.
Recently, cybersecurity company eSentire discovered that BatLoader is using Google Ads to distribute Vidar Stealer and Ursnif payloads. These payloads spoof apps and services such as Adobe, OpenAPI’s ChatGPT, Zoom, Spotify, Tableau, and more.
When users click on a fake ad, they will be taken to a website hosting Windows installer files that appear legitimate. These MSI files contain Python scripts which run the BATLOADER payload and download additional malware from a remote server, according to eSentire.
These campaigns are being operated by DEV-0569, a threat actor identified as DEV. This group has been using Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims’ passwords, and ultimately breach networks for ransomware attacks.
Microsoft has confirmed that DEV-0569 has been disseminating BatLoader through Google Ads since at least February 2022. This ad campaign utilizes SEO poisoning techniques and malvertising to promote sites posing as popular software in search results.
Malwarebytes observed, in July 2022, a BatLoader sample had been altered and enhanced with additional capabilities that could grant it access to enterprise networks. This development comes amid an uptick in search engine malvertising due to Microsoft’s decision to block macros from Office files downloaded directly from the internet.
Researchers have documented BatLoader’s use of Google Ads to deliver Vidar Stealer and Ursnif payloads, both intended to infiltrate victim computers and steal sensitive information. Furthermore, upon infection, BatLoader adds two more payloads.
Google Ads campaigns deliver malicious BatLoader payloads that contain code to exploit vulnerabilities in Windows and other operating systems, install Trojans that allow them to infiltrate victims’ networks and encrypt files on their drives.
Although it remains unknown how this malware downloader distributes malicious software through Google Ads, it is essential to understand its operation and take steps to protect yourself against it. Organizations should invest time into educating their employees on avoiding phishing attempts and spam emails that could spread malicious software.
SEO Poisoning
Cybercriminals often employ search engine poisoning, a practice which allows links to malicious websites to appear high up in organic listings for key search terms. This practice has become increasingly common among threat actors.
BATLOADER malware downloader has been observed exploiting Google Ads to deliver Vidar Stealer and Ursnif payloads. These downloaders are responsible for spreading next-stage malware such as information/banking stealers, Cobalt Strike, and ransomware.
The malware downloader has also been observed using phishing emails, compromised websites and peer-2-peer file-sharing networks to distribute its payloads. These methods can be easily blocked using a web filtering solution that performs content analysis on new content.
Additionally, web filters can be configured to block files with suspicious extensions or rare top-level domains, thus discouraging attackers from employing these techniques. Antivirus software is another useful tool that could be employed in this regard.
Cybersecurity experts warn that this tactic is becoming more and more common, as threat actors know how to exploit user behavior to avoid detection. That’s why having a robust security solution in place is so critical for protecting your organization against such attacks.
MalwareHunterTeam, German Fernandez and Will Dormann have recently documented how hackers have been abusing Google search results to spread malware. They showed how ads pretending to be websites for LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk Awesome Miner TradingView WinRAR VLC were being spoofing legitimate programs in an attempt to trick users into downloading malicious software.
These ads link to malicious websites that host Microsoft Windows installers disguised as software versions of popular software products. When clicked on, these MSI installers run Python scripts containing a malware loader which then delivers further stage malware. This attack chain differs slightly from December 2022 when malware droppers delivered BatLoader and RedLine stealer via PowerShell commands on remote servers.
Malvertising
Malvertising is an attack method that utilizes creative ads and calls to advertisements in order to spread malware on a victim’s computer. This approach can deliver various threats such as information stealers and ransomware, often displayed on webpages relevant to user interests such as search engine results or social media posts.
Malvertising campaigns may employ deception or social engineering techniques to entice users into clicking on malicious ads. Once clicked, users will be redirected to websites hosting links to Batloader distribution pages and other malicious material.
Another means of delivering malicious payloads is through ad networks that enable cybercriminals to purchase advertising space on targeted websites. These attacks can be used for distributing various malware types, such as info-stealers, ransomware and phishing attempts.
BatLoader is an example of malware downloader that leverages Google Ads to distribute Vidar Stealer and Ursnif payloads on victims’ computers. Furthermore, the malware runs exploit kits which scan for and exploit vulnerabilities on victim systems.
Research has demonstrated that BatLoader can infiltrate victims’ devices through fake software and application installers that appear legitimate, such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom. These installers appear to mimic legitimate applications like Adobe or OpenAPI’s ChatGPT for Android or OpenAPI ChatGPT for iOS.
The malware also runs a node-webkit desktop application that loads ads to generate revenue or installs a browser extension to do the same thing. This downloader was first identified in 2022, and since then has been utilized to spread various malicious programs like ChromeLoader and ransomware.
Mandiant is currently investigating an attack campaign that uses SEO poisoning to boost web pages’ rankings in search engine results for terms like “free productivity apps installation” and “free software development tools installation.” These pages promote malicious software downloads such as Batloader, Ursnif, Atera Agent, RedLine, and Gozi malware.
The attackers behind this campaign are believed to be members of DEV-0569 group, which specializes in developing tools to deliver Royal ransomware onto breached networks. This collective has earned a reputation for innovation by continuously creating novel discovery techniques, defense evasion methods and post-compromise payloads.
BatLoader Malware Distribution Methods
Recently, threat actors have been found using Google Ads to distribute BatLoader malware. These ads appear as the top search result and can trick victims into downloading it. This is an alarming trend that could threaten to undermine the current dominance of malware spam (malspam) as an initial access vector.
The campaign operators employ software impersonation tactics to deliver malicious Windows installer files with custom action commands that execute an embedded batch file with admin privileges in a hidden window. This process unpacks two Python files protected by PyArmor, which are then used to execute BatLoader payload and retrieve subsequent stage malware such as Vidar Stealer and Ursnif hosted on remote servers.
Proofpoint has identified BatLoader variants using Google Ads as well as software impersonation and distribution techniques to deliver additional payloads. They register websites impersonating popular apps and brands such as ChatGPT, Zoom, Spotify, AnyDesk, Microsoft Teams, Java, Tableau, and Adobe for this purpose.
These web domains deliver BatLoader malware as a.bat file containing Python code responsible for execution, payload retrieval and decryption operations. Furthermore, certain variants contain an additional obfuscated third Python file encrypted with PyArmor which delivers the BatLoader payload to a system with more than two IP neighbors in its ARP table.
BatLoader deploys its payload using Living off the Land commands, profiling the victim’s system to fetch a second-stage payload tailored to monetizing that system or network where it landed. On personal workstations, it drops Ursnif banking malware and Vidar information stealer; on domain-joined systems it drops Cobalt Strike and Syncro Remote Monitoring and Management tool.
BatLoader variants are highly adaptable and prolific, capable of delivering multiple payloads simultaneously – making them difficult to detect and contain. As with all malware families, these viruses have shown to be highly successful at spreading throughout the world.
To combat BATLOADER, security practitioners should ensure their antivirus products are up to date and use a Zero Trust connectivity method to block all unknown or untrusted remote access tools. Furthermore, regular phishing and security awareness training should be conducted among employees to teach them how to avoid malware in the first place and take preventive measures before any attacks take place.
