Updated techniques are being used by DEV-0569 to distribute Royal ransomware and other malicious payloads, according to SecurityWeek.
While DEV-0569 continues to leverage malvertising for malware delivery, it has since expanded its arsenal to include using contact forms for phishing link delivery, utilizing legitimate-looking software download sites or repositories for fake installer hosting, and exploiting Google Ads, a report from Microsoft showed.
DEV-0569 was observed to have impersonated a national financial authority in September to send fraudulent contact forms, from which it would reply with Batloader-laced messages. Commands were then executed to allow privilege escalation and the deployment of the Vidar Stealer information stealer, Gozi banking trojan, and Royal ransomware.
Meanwhile, attacks the following month saw DEV-0569 exploiting Google Ads to redirect users to malicious Batloader download domains. Open-source tool Nsudo has also been used by the threat group to avert detection by antivirus systems.
"These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads," Microsoft said.