February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling.
We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.
One malware family we have been tracking on this blog is FakeBat.
It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code.
For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable.
We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.
Another interesting aspect is the diversity of the latest campaigns.
For a while, we saw the same software brands being impersonated over and over again.
With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.
During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs.
As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking.
That practice enables a threat actor to use a 'good' or 'bad' destination URL based on their own defined parameters.
In the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.
There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application.
A number of those malicious domains can be found on Russian-based hoster DataLine.
FakeBat continues to be a threat to businesses via malicious ads for popular software downloads.
The malware distributors are able to bypass Google's security checks and redirect victims to deceiving websites.
It is as important to defend against the supporting infrastructure as the malware payloads.
That is not always easy since legitimate websites may be used to defeat domain blocklists.
As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.
This Cyber News was published on www.malwarebytes.com. Publication date: Tue, 12 Mar 2024 23:44:28 +0000