Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

“These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

The group is also known for signing malicious binaries with legitimate certificates, and for using encrypted malware payloads and defense evasion techniques. In recent attacks, DEV-0569 has used the open-source tool Nsudo for disabling antivirus solutions.

The threat actor is relying on malware downloaders such as Batloader, posing as legitimate installers or updates for software such as AnyDesk, Adobe Flash Player, Microsoft Teams, TeamViewer, and Zoom.

DEV-0569 has also been observed using file formats like Virtual Hard Disk (VHD) for impersonating legitimate software, as well as using PowerShell and batch scripts for downloading information stealers and remote access tools.

Advertisement. Scroll to continue reading.

In a September campaign, the threat actor was seen using contact forms on public websites for malware distribution. Posing as a national financial authority, DEV-0569 sent messages using the contact forms and, after the targets responded via email, responded with messages containing Batloader.

As part of successful attacks, the threat actor executed commands to elevate privileges to System and deployed various payloads to the compromised machine, including the Gozi banking trojan and the Vidar Stealer information stealer.

In September, Microsoft observed DEV-0569 infection chains leading to Royal ransomware, which is human-operated. The Batloader downloader and a Cobalt Strike Beacon implant were used in these attacks.

In October, the threat group started abusing Google Ads directing users to legitimate traffic distribution system (TDS) Keitaro, which supports tracking ad traffic and users. Microsoft noticed that users were being redirected to legitimate download sites or to malicious Batloader download domains, under certain conditions.

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.