Hackers Deliver Royal Ransomware

According to a recent analysis from Microsoft’s Security Threat Intelligence team, in one of its campaigns, hackers used Google Ads to spread several payloads, which resulted in the deployment of the Royal ransomware.

Microsoft is tracking the group as ‘DEV-0569’ after discovering the updated malware delivery technique in late October 2022.

“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation”, Microsoft’s Security Threat Intelligence team

The techniques that DEV-0569 particularly focuses on are malvertising and phishing Hyperlinks that lead to malware downloaders disguising themselves as software installers or updates embedded in spam emails, fake forum pages, and blog comments.

DEV-0569’s Tactics, Techniques, And Procedures (TTPs)

Researchers say the DEV-0569 operation distributes malware payloads using signed binaries. The group mostly rely on defence evasion techniques and also employ the open-source application Nsudo in subsequent campaigns to try and disable antivirus products.

The malware downloaders, known as ‘BATLOADER’, disguise themselves as installers or updates for trustworthy programmes like Microsoft Teams or Zoom. 

When BATLOADER is launched, it makes advantage of MSI Custom Actions to initiate malicious PowerShell activities or execute batch scripts that help disable security tools and deliver a variety of encrypted malware payloads that are decrypted and launched with PowerShell commands.

The report says BATLOADER, delivered via malicious links in phishing emails, posing as legitimate installers for numerous applications like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk,

Further, it was hosted on attacker-created domains posing as legitimate software download sites (anydeskos[.]com, for example) and on legitimate repositories like GitHub and OneDrive.

Attackers Posing as Legitimate tools

DEV-0569 Observed In September 2022, Where the Landing Site Hosted BATLOADER Posing As a Teamviewer Installer

Microsoft has also noticed the use of file formats like Virtual Hard Disk (VHD) to disguise first-stage payloads as legitimate software. 

Additionally, these VHDs have malicious scripts that trigger the download of the malware payloads associated with DEV-0569.

DEV-0569 Infection Chain

It also used a variety of infection chains, including PowerShell and batch scripts, that eventually resulted in the download of malware payloads including information stealers or a legitimate remote management tool used for network persistence.

Microsoft noticed DEV-0569 used the open-source NSudo tool to attempt to disable antivirus solutions. Further, they also used contact forms on targeted organizations’ websites to deliver phishing links.

Based on tactics observed by Microsoft, ransomware attackers likely gained access to compromised networks via a BATLOADER-delivered Cobalt Strike Beacon implant. Additionally, it puts the gang in a better position to act as an initial access broker for other ransomware operations, joining the likes of malware like Emotet, IcedID, and Qakbot.

“Solutions such as network protection and Microsoft Defender SmartScreen can help thwart malicious link access. Microsoft Defender for Office 365 helps guard against phishing by inspecting the email body and URL for known patterns”, Microsoft.

Azure Active Directory Security – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.