Microsoft Discovers Threat Group Deploying New Wave of Royal Ransomware

Colin Thierry Colin Thierry

Microsoft revealed last week that a threat group identified as DEV-0569 was behind a new wave of Royal ransomware and other malware deployed through phishing links, legitimate-looking websites, and Google Ads.

Bypassing security solutions is one aspect where threat actors sometimes face challenges. One way they can bypass these solutions is through deceiving users to let them in by clicking on malicious links or downloading harmful software.

DEV-0569 uses both of these techniques against the users they target. The threat group creates phishing websites, uses contact forms on targeted organizations, hosts installers on download sites that look legitimate, and deploys Google Ads.

“DEV-0569 activity uses signed binaries and delivers encrypted malware payloads,” explained Microsoft in its statement last week. The group is also known to heavily utilize defense evasion techniques and has continued using the open-source tool Nsudo to attempt to disable antivirus solutions recently in campaigns.

“DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments,” the tech giant added.

One of DEV-0569’s main goals is to gain access to devices within secure networks, which would allow them to deploy Royal ransomware. As a result, the group could become an access broker for other ransomware operators by selling the access they have to other hackers.

Additionally, the group is using Google Ads to expand its reach and blend in with legitimate internet traffic.

“Microsoft researchers identified a DEV-0569 malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which provides capabilities to customize advertising campaigns via tracking ad traffic and user- or device-based filtering,” the company said. “Microsoft observed that the TDS redirects the user to a legitimate download site, or under certain conditions, to the malicious BATLOADER download site.”

This strategy thus allows the threat actors to bypass IP ranges of known security sandboxing solutions by sending malware to specific targets and IPs.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.