Cyber criminals these days are trend-savvy scammers! They cleverly use the hype about artificial intelligence for their own purposes: they place banking Trojans and info stealers in manipulated ads about AI. Sophos forensic experts took a closer look at this malvertising case.
Sophos X-Ops has seen a resurgence in the use of malvertising in various malware campaigns since the beginning of this year, both in its telemetry and in the increased surface of this topic on underground forums. Malvertising, the term for a method of injecting malicious code into digital advertisements, is not a new topic, nor is it a new TTP for attackers.
Malvertising – Advertising including malware
🔎 A typical malvertising infection chain, which in this case leads to a Gozi/Ursnif infection (Image: Sophos).
However, the technology has been increasingly used again in recent months, possibly due to Microsoft's new protective measures against malicious macros from the Internet - also a popular delivery method for malicious codes.
During a recent investigation into a criminal marketplace, X-Ops found a number of ads promoting rigged Google Ads accounts and so-called "Black SEO" services. These are services designed to help attackers rank their malicious websites at the top of search results.
BatLoader and IcedID – the malvertising stars
Two of the most notable malware families that have exploited malvertising in recent months are BatLoader and IcedID. IcedID first appeared in 2017 as a banking Trojan designed to steal banking credentials. More recently, attackers have used IcedID to gain access to targeted networks as the first stage of a ransomware attack. Previous IcedID malvertising attacks involved malicious ads distributed via Google ads for office-related communication tools such as Slack, Microsoft Teams, and WebEx.
BatLoader has traditionally been a tool used by cyber criminals to infect user systems with sophisticated malware, particularly infostealers like RaccoonStealer. While previous BatLoader malvertising campaigns exploited users' search for IT tools, more recent campaigns capitalize on the artificial intelligence hype.
Dangerous: Targeted advertising for users
Christopher Budd, Director Threat Research at Sophos X-Ops: “Malvertising has many benefits for criminals. Just as legitimate advertisers carefully target their ads, criminals can use malvertising to target users, particularly geographically. In addition, it is often difficult for defenders to detect and combat these types of malware campaigns. Basically, we found that the attackers follow technical trends. The latest malicious ads try to generate clicks not only with popular IT and communication apps, but also with AI tools such as ChatGPT or MidJourney. Increased vigilance is required here, and it is very likely that criminals will continue to expand and professionalize their malvertising campaigns.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.