DEV-0569, a new threat actor whose activity can be traced back as early as August 2022, developed new tools to deliver the Royal ransomware, claimed Microsoft Security Threat Intelligence in a post published on November 17, 2022.
This emerging group, for which Microsoft still uses a temporary ‘DEV-####’ designation, meaning they are unsure about its origin or identity, typically relies on malvertising and phishing link vectors.
They point to a malware downloader called BATLOADER, posing as legitimate software installers such as TeamViewer, Adobe Flash Player and Zoom, or updates embedded in spam emails, fake forum pages, and blog comments to deploy the Royal ransomware, which first emerged in September 2022 and is being distributed by multiple threat actors.
When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.
From September 2022, Microsoft noticed that DEV-0569 started using contact forms to deliver its payloads. In one particular campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 replies with a message that contained a link to BATLOADER.
This method has been seen in other campaigns, including IcedID malware, notably used by the Emotet group.
Microsoft also noticed that, from September, DEV-0569 started hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and an expansion of their malvertising technique by using Google Ads in regular campaigns, effectively blending in with normal ad traffic.
“These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads,” reads the post.
Finally, in September and October, Microsoft saw activity where DEV-0569 used the open-source NSudo tool to attempt to disable antivirus solutions.
Microsoft made some mitigation recommendations to reduce the impact of the DEV-0569 threat:
- Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware
- Turn on network protection to block connections to malicious domains and IP addresses
- Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks
- Practice the principle of least privilege and maintain credential hygiene
- Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit the installation of RATs and other unwanted applications.
- Turn on cloud-delivered protection and automatic sample submission on your antivirus
- Turn on tamper protection features to prevent attackers from stopping security services