New Threat Group Already Evolves Delivery Tactics to Include Google Ads

New Threat Group Already Evolves Delivery TacticsDelivering an equally new Royal ransomware, this threat group monitored by Microsoft Security Threat Intelligence has already shown signs of impressive innovation to trick victims.

Microsoft keeps track of new threat groups, giving them a DEV-#### designation to track them until there is confidence around who is behind the group. In the case of DEV-0569, this threat group uses malvertising, and malicious phishing links that point to a malware downloader under the guise of being a legitimate software installers or software update, using spam emails, fake forum pages, and blog comments as initial contact points with potential victims.

According to Microsoft, the group has expanded its social engineering techniques to improve their delivery of malware, including delivering phishing links via contact forms on the targeted organizations’ website and hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to their targets.

Take the example below, where the threat group hosted their malicious downloader, known as BATLOADER, on a site that appears to be a TeamViewer download site.


Source: Microsoft

Microsoft have also noted the expansion of their malvertising technique to include Google Ads in one of their campaigns, establishing legitimacy and blending in with normal ad traffic.

This level of innovation shows that threat actors are stepping up their game to establish legitimacy in any way possible – including paying for ads – so that victim’s defenses are down. It’s all the more reason for organizations to educate their users through Security Awareness Training to always be watchful, even in situations where everything seems “normal”; as that legitimate search query on Google could result in enabling malicious activity.

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews