Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware

A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns.

DEV-0569 has been relying on malicious ads (malvertising), blog comments, fake forum pages, and phishing links for the distribution of malware.

Over the past few months, however, Microsoft noticed that the threat actor has started using contact forms to deliver phishing links, while choosing to host fake installers on legitimate-looking software download sites and legitimate repositories, such as GitHub and OneDrive.

The adversary continues to rely on malvertising for malware distribution, and even expanded the technique by employing Google Ads in one of the campaigns.

“These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” Microsoft says.

The group is also known for signing malicious binaries with legitimate certificates, and for using encrypted malware payloads and defense evasion techniques. In recent attacks, DEV-0569 has used the open-source tool Nsudo for disabling antivirus solutions.

The threat actor is relying on malware downloaders such as Batloader, posing as legitimate installers or updates for software such as AnyDesk, Adobe Flash Player, Microsoft Teams, TeamViewer, and Zoom.

DEV-0569 has also been observed using file formats like Virtual Hard Disk (VHD) for impersonating legitimate software, as well as using PowerShell and batch scripts for downloading information stealers and remote access tools.

In a September campaign, the threat actor was seen using contact forms on public websites for malware distribution. Posing as a national financial authority, DEV-0569 sent messages using the contact forms and, after the targets responded via email, responded with messages containing Batloader.

As part of successful attacks, the threat actor executed commands to elevate privileges to System and deployed various payloads to the compromised machine, including the Gozi banking trojan and the Vidar Stealer information stealer.

In September, Microsoft observed DEV-0569 infection chains leading to Royal ransomware, which is human-operated. The Batloader downloader and a Cobalt Strike Beacon implant were used in these attacks.

In October, the threat group started abusing Google Ads directing users to legitimate traffic distribution system (TDS) Keitaro, which supports tracking ad traffic and users. Microsoft noticed that users were being redirected to legitimate download sites or to malicious Batloader download domains, under certain conditions.

Related: Black Basta Ransomware Linked to FIN7 Cybercrime Group

Related: BlackByte Ransomware Abuses Legitimate Driver to Disable Security Protections