Hackers Abusing search engine Ads to Deliver DANABOT & DARKGATE Malwares

Threat actors are purchasing advertisements for malicious websites to lure victims into downloading malware, which can eventually lead to data theft and ransomware. 

This technique was used in several ad platforms, including search engine ads and social media ads, as they provide a wide range of controls like specific audiences, geographic locations, IP address ranges, browsing history, and device types.

EHA

Search Engine Ads Deliver Malware

According to the reports shared with Cyber Security News, there have been four different malware families observed during the investigation of these malicious ad campaigns, which were, 

  • PAPERDROP – VBScript-based downloader that communicates with HTTPS and also downloads and executes DANABOT.
  • PAPERTEAR – VBScript-based downloader observed to enumerate the list of local processes.
  • DANABOT – Backdoor written in Delphi that uses custom binary protocol over TCP.
  • DARKGATE – Backdoor written in Delphi that is capable of capturing keystrokes, executing commands, file transfer, and credential theft.

In addition to this three different delivery chains were observed in two of them used a renamed version of cURL binary.

Infection Chain #1: PAPERDROP > DANABOT

In this infection chain, the wscript.exe process is used to initial a DNS request which then executes the Windows installer utility msiexec.exe and installs an application. Furthermore, it uses the rundll32.exe process to load the dropper DLL and executes the “start” function to launch the DANABOT payload.

Infection Chain
Infection Chain #1 (Source: Mandiant)

Infection Chain #2: PAPERTEAR > RENAMED CURL > DARKGATE

In this second infection chain, the PAPERTEAR downloader initiates an HTTP POST request to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner command that eventually drops the DARKGATE malware onto the victim’s system.

Infection Chain #2
Infection Chain #2 (Source: Mandiant)

Infection Chain #3: PAPERDROP > RENAMED CURL > DANABOT

The third execution chain is similar to the second one but here the PAPERDROP downloader executes another extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.

Infection Chain #3
Infection Chain #3 (Source: Mandiant)

Furthermore, a complete report has been published which provides detailed information about the malware capabilities, execution methods, chains, and other information.

Indicators of Compromise

TypeValueCampaignMalware FamilyAttribution
Domainwww.claimprocessing[.]org23-046UNC2975
Domainwww.treasurydept[.]org23-046UNC2975
Domainwww.assetfinder[.]org23-046UNC2975
Domaingfind[.]org23-046UNC2975
Domainclaimunclaimed[.]org23-046UNC2975
Domaintreasurydept[.]org23-046UNC2975
Domainwww.myunclaimedcash[.]org23-046UNC2975
Domainfreelookup[.]org23-046UNC2975
Domaincapitalfinders[.]org23-046UNC2975
Domainplano.soulcarelife[.]org23-046PAPERDROPUNC2975
Domainpittsburgh.soulcarelife[.]org23-046PAPERDROPUNC2975
Domaindurham.soulcarelife[.]org23-046PAPERDROPUNC2975
Domainmesa.halibut[.]sbs23-046PAPERDROPUNC2975
Domainarlington.barracudas[.]sbs23-046PAPERDROPUNC2975
Domainlugbara[.]top23-046PAPERDROPUNC2975
Domainlewru[.]top23-046PAPERDROPUNC2975
Domaininfocatalog[.]pics23-046DARKGATEUNC5085
Domainbikeontop[.]shop23-046DARKGATEUNC5085
Domainpositivereview[.]cloud23-046DARKGATEUNC5085
Domaindreamteamup[.]shop23-046DARKGATEUNC5085
Domainwhatup[.]cloud23-046DARKGATEUNC5085
Domainthebesttime[.]buzz23-046DARKGATEUNC5085
IP Address47.253.165[.]123-046UNC2975
IP Address8.209.99[.]23023-046UNC2975
IP Address47.252.45[.]17323-046UNC2975
IP Address47.252.33[.]13123-046UNC2975
IP Address47.253.141[.]1223-046UNC2975
IP Address47.252.45[.]17323-046UNC2975
IP Address34.16.181[.]023-046DANABOT
IP Address35.247.194[.]7223-046DANABOT
IP Address35.203.111[.]22823-046DANABOT
IP Address94.228[.]169[.]14323-051PAPERTEARUNC5085
MD59f9c5a1269667171e1ac328f7f7f6cb323-046DARKGATEUNC5085
MD52c16eafd0023ea5cb8e9537da442047e23-046PAPERDROP (Type I)UNC2975
MD57544f5bb88ad481f720a9d9f94d95b3023-046PAPERDROP(Type I)UNC2975
MD5862a42a91b5734062d47c37fdd80c633PAPERDROP(Type II)UNC2956
MD5650b0b12b21e9664d5c771d78738cf9fPAPERTEARUNC5085
MD59120c82b0920b9db39894107b5494ccd23-051PAPERTEARUNC5085
Source: Mandiant
Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.