A ransomware gang is responsible for a string of Google search ads that used major brands as lures to distribute ransomware over past three weeks. Targeted are businesses and public entities. This campaign adds to a recent string of breaches perpetrated by cybergang ALPHV/BlackCat, according to eSentire researchers.
ESentire said in a blog post outlining the research that the ads placed by the cybergang purported to be legitimate offers for software tools. However, the ads linked to malicious sites that enticed victims to download a Python-based malware payload that opens access for further infection, according to eSentire’s Threat Response Unit (TRU).
“This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to lure business professionals to attacker-controlled websites,” according to eSentire.
The attacks targeted a law firm, a manufacturer and a warehouse provider and were detected and intercepted by the TRU, the post states.
The threat actors also abused Python libraries to spread the ransomware via an exploit called Nitrogen, which was first identified and named by eSentire in June 2023. Nitrogen is executed through DLL sideloading and evades detection using highly obfuscated Python libraries that appear harmless to many security systems. The obfuscation of Python libraries makes the malware’s attack path more difficult to trace for post-infection analysis. The exploit’s purpose is to open initial access to the victim’s system, allowing the ALPHV/BlackCat ransomware to easily take hold.
The recent cyberattacks are part of an ongoing campaign by ALPHV/BlackCat affiliates who were previously observed placing malicious ads for WinSCP in both Google and Bing search results.
Browsers-based attacks now more popular than inbox-based attacks
ESentire noted that browser-based attacks such as the abuse of search results to distribute malware are now surpassing email-based attacks as the preferred method for ransomware infections.
A “massive spike” in Google ad-based malvertising detected by Spamhaus Technology researchers in February serves as another example of the method’s popularity and the potential growth of malvertising-as-a-service.
The continued threat posed by the ALPHV/BlackCat ransomware gang is also of note in light of the McLaren Health Care data breach revealed last week, in which the data of nearly 2.2 million people was stolen. The ALPHV/BlackCat affiliate Scattered Spider is also believed to be responsible for the ransomware attacks on MGM Resorts International and Caesars Entertainment in September, which resulted in at least $100 million in damages for MGM and a $15 million ransom payment by Caesars, although malvertising was not reported to be involved in these attacks.
Malicious Google search ads now in vogue
Researchers from Trend Micro, who also studied these early malvertising attacks by ALPHV/BlackCat, noted that previous campaigns also used malicious ads via search results. In one campaign, ads displayed above organic search results promoted WinSCP. The ad used a URL that resembled the legitimate WinSCP domain. This was an attempt by adversaries to abuse well-known brands as a lure to trick business professionals into downloading malicious files.
Jon Clay, VP of Threat Intelligence at Trend Micro, told SC Media that recent campaigns abusing search-based ads should prompt ad network vendors to tighten security.
“It isn’t necessarily the search tools that are vulnerable; advertisements tend to be delivered via ad networks, and not the search vendors,” Clay said. “These owners may not vet the ads being purchased, which allows malicious actors to get their malvertisements embedded within the search results along with legitimate ads. So, ad network vendors need to improve their security controls and control who they are allowing to advertise within their infrastructure.”
ESentire recommends mitigating company risk by paring back the type of script files allowed on a network, more vigilant endpoint monitoring and careful telemetry logging.
It advises a logging protocol “to ensure you are capturing telemetry – especially for devices and services that don’t support an endpoint agent, including VPN, device enrollment, and server software for applications that don’t generate endpoint telemetry, like Citrix, IIS, and cloud services.”