• by Laurie Sullivan , Staff Writer, November 18, 2022

The Royal Ransomware group used Google Ads in a malvertising campaign attack, according to a report published by the Microsoft’s Security Threat Intelligence team.

Microsoft’s team identified the DEV-0569 campaign in October 2022. One of the most popular motor racing circuits in the United Kingdom, home of the British Grand Prix, was allegedly attacked by the Royal Ransomware group.

That group took credit for the incident on Tuesday. Recorded Future senior security architect Allan Liska told The Record that “while the group is new, it appears to be made up of experienced hackers that previously worked as affiliates for other ransomware groups.” 

Microsoft observed the traffic distribution system (TDS), intermediate websites that direct the flow of HTTP traffic of unsuspecting users from online advertisers to webpages, redirected the user from a legitimate download site, or under certain conditions, to the malicious BATLOADER download site.

The researchers tracked the gang to Google Ads that redirect users to a download site with malicious files. Microsoft reported this abuse to Google.

DEV-0569 relies on malvertising and phishing links that point to a malware downloader posing as a software installer or updates embedded in spam emails, fake forum pages, and blog comments.

Microsoft says that in the past few months the security researchers observed the use of contact forms on targeted organizations’ websites to deliver phishing links. Hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and the expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic

Microsoft notes that from August to October 2022, its researchers observed DEV-0569 activity where BATLOADER, delivered via malicious links in phishing emails, posed as legitimate installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk.

BATLOADER was hosted on attacker-created domains posing as legitimate software download sites and on legitimate repositories like GitHub and OneDrive, the company reported. (A detailed description is provided here.)