Threat actors are purchasing advertisements for malicious websites to lure victims into downloading malware, which can eventually lead to data theft and ransomware.
This technique was used in several ad platforms, including search engine ads and social media ads, as they provide a wide range of controls like specific audiences, geographic locations, IP address ranges, browsing history, and device types.
Search Engine Ads Deliver Malware
According to the reports shared with Cyber Security News, there have been four different malware families observed during the investigation of these malicious ad campaigns, which were,
-
PAPERDROP – VBScript-based downloader that communicates with HTTPS and also downloads and executes DANABOT.
-
PAPERTEAR – VBScript-based downloader observed to enumerate the list of local processes.
-
DANABOT – Backdoor written in Delphi that uses custom binary protocol over TCP.
-
DARKGATE – Backdoor written in Delphi that is capable of capturing keystrokes, executing commands, file transfer, and credential theft.
In addition to this three different delivery chains were observed in two of them used a renamed version of cURL binary.
Infection Chain #1: PAPERDROP > DANABOT
In this infection chain, the wscript.exe process is used to initial a DNS request which then executes the Windows installer utility msiexec.exe and installs an application. Furthermore, it uses the rundll32.exe process to load the dropper DLL and executes the “start” function to launch the DANABOT payload.
Infection Chain #1 (Source: Mandiant)
Infection Chain #2: PAPERTEAR > RENAMED CURL > DARKGATE
In this second infection chain, the PAPERTEAR downloader initiates an HTTP POST request to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner command that eventually drops the DARKGATE malware onto the victim’s system.
Infection Chain #2 (Source: Mandiant)
Infection Chain #3: PAPERDROP > RENAMED CURL > DANABOT
The third execution chain is similar to the second one but here the PAPERDROP downloader executes another extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.
Infection Chain #3 (Source: Mandiant)
Furthermore, a complete report has been published which provides detailed information about the malware capabilities, execution methods, chains, and other information.
Indicators of Compromise
Type Value Campaign Malware Family Attribution Domainwww.claimprocessing[.]org23-046UNC2975Domainwww.treasurydept[.]org23-046UNC2975Domainwww.assetfinder[.]org23-046UNC2975Domaingfind[.]org23-046UNC2975Domainclaimunclaimed[.]org23-046UNC2975Domaintreasurydept[.]org23-046UNC2975Domainwww.myunclaimedcash[.]org23-046UNC2975Domainfreelookup[.]org23-046UNC2975Domaincapitalfinders[.]org23-046UNC2975Domainplano.soulcarelife[.]org23-046PAPERDROPUNC2975Domainpittsburgh.soulcarelife[.]org23-046PAPERDROPUNC2975Domaindurham.soulcarelife[.]org23-046PAPERDROPUNC2975Domainmesa.halibut[.]sbs23-046PAPERDROPUNC2975Domainarlington.barracudas[.]sbs23-046PAPERDROPUNC2975Domainlugbara[.]top23-046PAPERDROPUNC2975Domainlewru[.]top23-046PAPERDROPUNC2975Domaininfocatalog[.]pics23-046DARKGATEUNC5085Domainbikeontop[.]shop23-046DARKGATEUNC5085Domainpositivereview[.]cloud23-046DARKGATEUNC5085Domaindreamteamup[.]shop23-046DARKGATEUNC5085Domainwhatup[.]cloud23-046DARKGATEUNC5085Domainthebesttime[.]buzz23-046DARKGATEUNC5085IP Address47.253.165[.]123-046UNC2975IP Address8.209.99[.]23023-046UNC2975IP Address47.252.45[.]17323-046UNC2975IP Address47.252.33[.]13123-046UNC2975IP Address47.253.141[.]1223-046UNC2975IP Address47.252.45[.]17323-046UNC2975IP Address34.16.181[.]023-046DANABOTIP Address35.247.194[.]7223-046DANABOTIP Address35.203.111[.]22823-046DANABOTIP Address94.228[.]169[.]14323-051PAPERTEARUNC5085MD59f9c5a1269667171e1ac328f7f7f6cb323-046DARKGATEUNC5085MD52c16eafd0023ea5cb8e9537da442047e23-046PAPERDROP (Type I)UNC2975MD57544f5bb88ad481f720a9d9f94d95b3023-046PAPERDROP(Type I)UNC2975MD5862a42a91b5734062d47c37fdd80c633PAPERDROP(Type II)UNC2956MD5650b0b12b21e9664d5c771d78738cf9fPAPERTEARUNC5085MD59120c82b0920b9db39894107b5494ccd23-051PAPERTEARUNC5085 Source: Mandiant
