Microsoft: Royal ransomware group using Google Ads in campaign

The Royal Ransomware group used Google Ads in one of their campaigns of attacks, according to a new report from Microsoft’s Security Threat Intelligence team.

The ransomware – which emerged in September and claimed a number of victims including one of the most popular motor racing circuits in the United Kingdom – is being distributed by multiple threat actors, according to Microsoft. 

The researchers said in late October they discovered a “malvertising” campaign where the hackers – which they track as DEV-0569 – used Google Ads to redirect users to a download site with malicious files. Microsoft said it reported the abuse of the traffic distribution system to Google. 

“DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments,” the researchers said. 

“In the past few months, Microsoft security researchers observed the following tweaks in the group’s delivery methods: Use of contact forms on targeted organizations’ websites to deliver phishing links, hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic.”

Microsoft explained that the methods allow the group to reach more targets and expand their base of victims. 

From August to October, Microsoft saw the threat actor deliver the BATLOADER malware through phishing emails that posed as legitimate installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk.

The malware was hosted on attacker-created domains and on legitimate repositories like GitHub and OneDrive.

“In September 2022, Microsoft observed a campaign using contact forms to deliver DEV-0569 payloads. Using contact forms on public websites to distribute malware has been seen in other campaigns, including IcedID malware,” the tech giant explained. 

“Attackers use this technique as a defense evasion method since contact forms can bypass email protections and appear trustworthy to the recipient.”

The hackers sent messages to targets purporting to be a national financial authority using the contact form on these targets’ websites. 

When contacted in response, the hackers sent a link that included the BATLOADER malware. 

Recorded Future senior security architect Allan Liska said that while the Royal ransomware group is new, it appears to be made up of experienced hackers that previously worked as affiliates for other ransomware groups. 

“They have been known to use multiple ransomware types and unlike a lot of current ransomware groups which randomly generated extensions for encrypted files, they use the .Royal extension,” he explained. 

“They were also seen earlier this year using callback phishing campaigns. While this attack is not new, it is uncommon for ransomware groups.”