{"id":22318,"date":"2023-06-26T16:11:08","date_gmt":"2023-06-27T00:11:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/06\/26\/news-16048\/"},"modified":"2023-06-26T16:11:08","modified_gmt":"2023-06-27T00:11:08","slug":"news-16048","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/06\/26\/news-16048\/","title":{"rendered":"Malvertising: A stealthy precursor to infostealers and ransomware attacks"},"content":{"rendered":"

This article is based on research by Jérôme Segura<\/a>, Senior Director of Threat Intelligence at Malwarebytes, who oversees data collection from spam feeds and telemetry to identify the most relevant threats.<\/em><\/p>\n

Malvertising<\/a>, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing.<\/p>\n

New research from the <\/a>Malwarebytes Threat Intelligence<\/a> team shows over 800 malvertising-related attacks in 2023 so far alone, an average of almost 5 attacks per day. But even these are only the ones reported by security researchers—in reality the number is much higher.<\/p>\n

Our research indicates that malvertising ads often deliver infostealer<\/a> malware such as IcedID, Aurora Stealer, and BATLOADER among others. These programs steal credentials from users’ browsers or computers, sowing the seeds for a future ransomware attack. \"\"<\/p>\n

Malvertising attack count throughout 2023<\/p>\n

Ransomware gangs <\/a>often buy stolen credentials from other cyber criminals involved in the dirty work of initial access brokering. In the case of malvertising, the chain of events looks something like this:<\/p>\n

    \n
  1. Malvertising campaigns infect users with infostealers.<\/strong><\/li>\n
  2. Infostealers harvest user credentials.<\/strong><\/li>\n
  3. Stolen credentials are sold in underground forums.<\/strong><\/li>\n
  4. Ransomware actors buy these credentials to infiltrate networks.<\/strong><\/li>\n<\/ol>\n

    Alternatively, some ransomware gangs have been observed use malvertising themselves to launch an attack on a victim machine directly.<\/p>\n

    The Royal ransomware group<\/a>, for example, used malvertising to disguise BATLOADER as legitimate installers for applications like TeamViewer. BATLOADER then drops a Cobalt Strike Beacon as a precursor to the ransomware execution. <\/p>\n

    For organizations looking to nip the malvertising-ransomware connection in the bud, however, perhaps the biggest challenge is how hard malvertising can be to spot. Threat actors often impersonate the official brand name and website in the ad snippet, making attacks extremely deceptive for the average user.<\/p>\n

    \"\"Can you spot the typo in this malvertising attempt? <\/p>\n

    Even experts at Google have struggled to identify malicious redirects from an ad, underscoring the fact that malvertising is a nuanced, technical problem that requires advanced tools to spot.<\/p>\n

    In other words, your defense strategy against malvertising shouldn’t hinge entirely on your team recognizing brand impersonation. Instead, focus on equipping your team with advanced security tools to do the heavy lifting.<\/p>\n

    Some of the main tools you can use to prevent malvertising include:<\/p>\n