Hackers Distribute Royal Ransomware Using Google Ads to (28th November 2022)

Ref# AL2022_78 | Date: Nov 28th 2022


Google Ads are being used by a growing threat activity cluster in one of its attempts to disseminate numerous post-compromise payloads, including the recently identified Royal ransomware.


Microsoft is monitoring the group as DEV-0569 after discovering the improved malware delivery technique in late October 2022.

According to an analysts observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation.

Malvertising is a well-known tactic used by the threat actor to direct unaware victims to malicious links that appear to be software installers for reputable programs like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

The next-stage payloads are distributed using the malware downloader, a strain known as BATLOADER, which is a dropper. It has been noted to share similarities with ZLoader, another malicious program.

The virus”s stealth and tenacity, as well as its use of search engine optimization (SEO) poisoning to entice people to download the malware from infected websites or attacker-created domains, were highlighted in a recent investigation of BATLOADER by eSentire and VMware.

Instead, spam emails, phony forum posts, blog comments, and even contact forms found on the websites of targeted companies are used to spread phishing links.

DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network.

The management tool can also be an access point for the staging and spread of ransomware.

Also utilized is a tool known as NSudo to launch programs with elevated privileges and impair defenses by adding registry values that are designed to disable antivirus solutions.

The use of Google Ads to deliver BATLOADER selectively marks a diversification of the DEV-0569″s distribution vectors, enabling it to reach more targets and deliver malware payloads, the company pointed out.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as Emotet, IcedID, and Qakbot.

Since DEV-0569″s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.


Malvertising and phishing will probably still be used by DEV-0569 to spread malware payloads. Solutions like network protection can assist in preventing unauthorized link access. Organizations should utilize mail flow rules to identify suspicious keywords or analyze broad exclusions, including those connected to IP ranges and domain-level allow lists, to assist counter this threat because DEV-0569″s phishing technique leverages lawful services.

Administrators can also apply the following mitigations to reduce the impact of this threat:

  • Encourage people to use web browsers with SmartScreen, which can detect and block harmful websites including phishing and scam sites as well as those that house malware and contain exploits. To prevent connections to dangerous domains and IP addresses, network protection.
  • By training users on spotting social engineering attempts and guarding against malware infection, you may strengthen organizational resistance to email threats, run attack scenarios, raise user awareness, and equip staff to identify and report these attacks.
  • Maintain the least-privileged principle and keep your credentials clean. Avoid using admin-level service accounts that are domain-wide. Limiting local administrative rights can prevent the installation of RATs and other undesirable programs.
  • Block process creations originating from PsExec and WMI commands
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Hackers Distribute Royal Ransomware.pdf