The BATLOADER downloader abuses Google Ads and uses the platform to host fraudulent advertisements and distribute Vidar Stealer and Ursnif malware through them.
Reference.
Vidar Stealer is a malicious program from Trojan viruses. It is used by cybercriminals to steal user data. The main way of distribution is through email spam and fake updates.
Ursnif is a banker, a trojan. This malware is used by attackers to steal users' banking data. To do this, it collects keystrokes, information about the system and processes.
According to cybersecurity company eSentire, attackers are using malvertising to place ads that appear to be from various official and popular apps and services, such as Adobe, Zoom, Tableau, ChatGPT OpenAPI, and Spotify.
BATLOADER, as the name suggests, is a downloader that is designed to distribute other malware, including identity thieves, bankers, Cobalt Strike-type malware (to mislead the user), and even ransomware.
A notable feature of BATLOADER is its use of software imitation tactics to deliver malware. This is achieved by creating clone sites that host malicious Windows installer files. These disguise themselves as genuine applications and activate the infection of the user's device when the user clicks on a fraudulent ad on a Google search results page for a keyword containing the name of the software.
In this way, attackers compromise both the advertising platform where the malicious advertising campaign passed all moderation filters, and the official services.
Here's an example in the screenshot above. Once the user downloads the installation file, in this case an MSI, Python scripts containing the BATLOADER payload are executed, which retrieve the next-stage malware from a remote server.
This method of operation is a slight deviation from the previous chain of attacks observed in December 2022, which used MSI installer packages to run PowerShell scripts that initiated the download of malware used to steal information.
eSentire analyzed other BATLOADER samples and found that it can be used by malware to establish full access to corporate networks. The increase in malicious ads in search engines comes amid a recent announcement by Microsoft that it will block macros in Office by default from files downloaded from the Internet.
“Attackers are abusing Google’s ad network by purchasing ad space to place ads optimized for high-volume keywords and related typos,” said cybersecurity firm Malwarebytes.
“The BATLOADER malware has been modernized and improved since its first appearance in 2022,” eSentire said. “It imitates popular official applications and services familiar to users, and thus finds additional ways to distribute malware for the purpose of further fraud.”
Source
Reference.
Vidar Stealer is a malicious program from Trojan viruses. It is used by cybercriminals to steal user data. The main way of distribution is through email spam and fake updates.
Ursnif is a banker, a trojan. This malware is used by attackers to steal users' banking data. To do this, it collects keystrokes, information about the system and processes.
According to cybersecurity company eSentire, attackers are using malvertising to place ads that appear to be from various official and popular apps and services, such as Adobe, Zoom, Tableau, ChatGPT OpenAPI, and Spotify.
BATLOADER, as the name suggests, is a downloader that is designed to distribute other malware, including identity thieves, bankers, Cobalt Strike-type malware (to mislead the user), and even ransomware.
A notable feature of BATLOADER is its use of software imitation tactics to deliver malware. This is achieved by creating clone sites that host malicious Windows installer files. These disguise themselves as genuine applications and activate the infection of the user's device when the user clicks on a fraudulent ad on a Google search results page for a keyword containing the name of the software.
In this way, attackers compromise both the advertising platform where the malicious advertising campaign passed all moderation filters, and the official services.
Here's an example in the screenshot above. Once the user downloads the installation file, in this case an MSI, Python scripts containing the BATLOADER payload are executed, which retrieve the next-stage malware from a remote server.
This method of operation is a slight deviation from the previous chain of attacks observed in December 2022, which used MSI installer packages to run PowerShell scripts that initiated the download of malware used to steal information.
eSentire analyzed other BATLOADER samples and found that it can be used by malware to establish full access to corporate networks. The increase in malicious ads in search engines comes amid a recent announcement by Microsoft that it will block macros in Office by default from files downloaded from the Internet.
“Attackers are abusing Google’s ad network by purchasing ad space to place ads optimized for high-volume keywords and related typos,” said cybersecurity firm Malwarebytes.
“The BATLOADER malware has been modernized and improved since its first appearance in 2022,” eSentire said. “It imitates popular official applications and services familiar to users, and thus finds additional ways to distribute malware for the purpose of further fraud.”
Source
