BATLOADER malware uses Google Ads to deliver Vidar and Ursnif infostealers
The moderators of the world-famous corporation once again opened the way for the attackers themselves.
Last month, a malware loader known as BATLOADER was seen to be abusing the contextual advertising service. Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. According to the company eSentiremalicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI, Spotify, Tableau, and Zoom.
BATLOADER, as the name suggests, is a loader that is responsible for spreading malware in the next stage. For example, information thieves, banking malware, and even ransomware.
One of the key features of BATLOADER is the use of software imitation tactics to deliver malware. This effect is achieved by setting up similar websites that host Windows Installer files masquerading as legitimate applications. This allows attackers to trigger an infection sequence when a user looking for legitimate software clicks on a fraudulent ad on a Google search results page.
Installation files in “.msi” format execute scripts on startup Python, containing the BATLOADER payload. Next, the malware of the next stage is downloaded to the victim’s computer.
Other BATLOADER samples analyzed by eSentire experts contained additional features that allow malware to establish its persistence in corporate networks.
“Cybercriminals are abusing the Google ad network by buying ad space for popular keywords and related misspellings,” the company noted. Malwarebytesdealing with cybersecurity, in July 2022.
“BATLOADER has continued to undergo changes and improvements since its first release in 2022. The malware intentionally impersonates other applications that are often found on business networks, ”said eSentire.