Sophos X-Ops has seen a resurgence in the use of malvertising in various malware campaigns since the beginning of this year, both in its telemetry and in the increased surface of this topic on underground forums. Malvertising, the term for a method of injecting malicious code into digital advertisements, is not a new topic, nor is it a new TTP for attackers.
However, the technology has been used more and more in recent months, possibly due to Microsoft’s new protective measures against malicious macros from the Internet – also a popular transmission method for malicious code .
During a recent investigation into a criminal marketplace, X-Ops found a number of ads promoting rigged Google Ads accounts and so-called “Black SEO” services. These are services designed to help attackers rank their malicious websites at the top of search results.
BatLoader and IcedID – the malvertising stars
Two of the most notable malware families that have exploited malvertising in recent months are BatLoader and IcedID. IcedID first appeared in 2017 as a banking Trojan designed to steal banking credentials. More recently, attackers have used IcedID to gain access to targeted networks as the first stage of a ransomware attack. Previous IcedID malvertising attacks involved malicious ads distributed via Google ads for office-related communication tools such as Slack, Microsoft Teams, and WebEx.
BatLoader has traditionally been a tool used by cybercriminals to infuse user systems with sophisticatedInfecting malware , particularly with infostealers like RaccoonStealer . While previous BatLoader malvertising campaigns exploited users’ search for IT tools, more recent campaigns are slinging the hypeUsing artificial intelligence .
Christopher Budd, Director Threat Research at Sophos X-Ops: “Malvertising has many advantages for criminals. Just as legitimate advertisers carefully target their ads, criminals can use malvertising to target users, particularly geographically. In addition, it is often difficult for defenders to detect and combat these types of malware campaigns. Basically, we found that the attackers follow technical trends. The latest malicious ads try to generate clicks not only with popular IT and communication apps, but also with AI tools such as ChatGPT or MidJourney. Increased vigilance is required here, and it is very likely that criminals will continue to expand and professionalize their malvertising campaigns.”
