On November 17th, Microsoft Security Threat Intelligence tracked activity from a threat actor known as DEV-0569 regarding the development of new tools to deliver the Royal ransomware.
Although Microsoft still uses a temporary ‘DEV-####’ designation for it, meaning that they are unsure about its origin or identity, the group is believed to consist of ex-Conti members.
“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” the Microsoft Security Threat Intelligence team said in an analysis.
Traced back to August 2022, the group typically relies on malvertising, phishing link vectors, fake forum pages, and blog comments. They also direct users to a malware downloader called BATLOADER, posing as various legitimate software installers such as TeamViewer, Adobe Flash Player, and Zoom or updates embedded in spam emails.
When BATLOADER is launched, it uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that are decrypted and launched with PowerShell commands.
BATLOADER also appears to share overlaps with another malware called Zloader. A recent analysis of the strain by eSentire and VMware called out its stealth and persistence, in addition to its use of search engine optimization (SEO) poisoning to lure users to download the malware from compromised websites or attacker-created domains.
In their blog post, Microsoft security researchers mentioned some of the recently observed changes in the group’s delivery method. This includes the use of contact forms on targeted organizations’ websites to deliver phishing links, hosting fake installer files on seemingly legitimate software download sites, and expansion of their malvertising technique through Google Ads.
- Gootloader exploits websites via SEO to spread ransomware
- Google Fails To Remove “App Developer” Behind Malware Scam
- Malicious Office documents make up 43% of all malware downloads
- Google Drive accounted for 50% of malicious Office docs downloads
- Research sector targeted in spear phishing attack using Google Drive
In one particular campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contracted target responds via email, the threat actor replies with a message containing a link to BATLOADER, hence successfully luring the target into its trap.
Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.
Their expansion strategy by employing Google Ads to spread BATLOADER, however, seems to have made the biggest difference in the diversification of the DEV-0569’s distribution vectors. This enabled it to reach more targets and deliver malware payloads.
“Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists,” Microsoft said.