Security researchers recently observed BatLoader malware abusing Google Ads to direct victims to websites impersonating popular brands and services. These fake websites then deliver payloads associated with Vidar stealer and the Ursnif banking trojan. The new BatLoader attack chain represents a shift away from the malware’s prior use of PowerShell scripts to download stealers.
Security researchers recently discovered the operators of the BatLoader malware downloader adopting a significant shift in modus operandi that reflects a high level of sophistication. Specifically, BatLoader operators use a technique called typosquatting, also known as URL hijacking, which involves registering domain names that are deceptively similar to legitimate websites to trick site visitors into performing actions that result in malware downloads. Among the BatLoader-linked malicious domains are websites that impersonate well-known brands and applications, including an AI text generator, a popular teleconferencing application, and a music streaming service.
Threat actors lure visitors to the fake websites with malicious Google Ads in the search engine’s results. There has been a huge spike in such ads, referred to as malvertisements, which appear to be legitimate, but redirect victims to websites with malicious content. The massive increase in malvertisements such as BitLoader’s has been linked to Microsoft’s policy of blocking Office macros by default from files downloaded from the Internet. To post malvertisements, threat actors purchase Google ad space for keywords and their common misspellings.
Once victims reach the impersonated websites, Microsoft Installer (MSI) files launch the infection sequence, executing Python scripts that contain the BatLoader payload and retrieve the malware from remote servers. According to the researchers who observed the infection chain, this method represents a new stage for BatLoader, which previously ran PowerShell scripts to download the stealer malware.
With regard to BatLoader’s secondary payloads, the malware delivers Vidar stealer, which scrapes credit card numbers, passwords, digital wallets, and other forms of data. BatLoader also deploys the Ursnif (Gozi) banking trojan, which steals financial data, login credentials, credit card numbers, and other personal information. While threat actors also use phishing emails to spread Ursnif, luring victims to fake websites, BatLoader represents an alternate method to trigger infection. In addition to Vidar and Ursnif, BatLoader was also observed distributing other malicious payloads, including Cobalt Strike and ransomware. According to security researchers, BatLoader is capable of establishing entrenched access to victims’ networks.
Security researchers concluded that BatLoader’s operators take advantage of several key factors. First, impersonating popular brands, allows threat actors to specifically target businesses, which frequently use these products. Gaining access to corporate networks maximizes opportunities to perpetrate extortion schemes and commit financial fraud. Second, BatLoader payloads contain tools that aid attackers in lateral movement, such as Cobalt Strike, which means even more severe malicious activity is likely. As such, researchers concluded that exposure to BatLoader should be treated as a prelude to ransomware attacks or data extortion campaigns.
With BatLoader leveraging malvertisements on Google, Cybersixgill collected posts from threat actors offering goods and services related to this technique. The following screenshot displays a post from a member of a popular Russian-language cybercriminal forum. The forum member is relatively active with a 5/10 reputation score and is primarily interested in malware and hacking.
In the post, the forum member sought experienced “investors/partners” to help “deliver/spread” their unidentified malware, which allegedly includes a fully undetectable dropper (FUD), command-and-control (C2) servers, and “other stuff.” The forum member received multiple replies, including an offer from a forum member with an above average reputation score (6/10) who offered to “make a landing page and send traffic there with Google Ads.” While BatLoader is not mentioned by name, it appears the forum member is using a similar infection chain that leverages malvertisements and typosquatting.
The initial poster responded by stating “this is not about getting bots, but getting quality bots,” apparently doubting the effectiveness of the proposed strategy. The post was bumped the following day, eliciting a negative response from a member who said, “ask [yourself] what do they gain [from] investing [in] your campaign.”
Figure 1: A cybercrime forum post offers to use Google Ads to lure victims to a landing page
Cybersixgill’s Investigative Portal also collected a post from another Russian-language cybercriminal forum on which a member with an above average reputation score (7/10) named advertised Google Ads accounts. In the post, the forum member claimed to be selling access to valid, but allegedly compromised, accounts with $100-$350 ad spends for prices ranging from $15 to $45, depending on the amount of the spend. The forum member specified that the accounts were suitable for phishing and malware. While Google Ads accounts are intended to pay for legitimate advertising, threat actors with access to them can launch BatLoader style attacks while remaining under the radar and unflagged as malicious. Indeed, threat actors use the funds in these accounts to purchase ads that drive traffic to malicious websites or affiliate links.
The post garnered multiple responses, including a comment from another forum wondering whether the accounts were prepay or postpay. The commenter added that “it would also be interesting to know if accounts trigger [prompts] to raise the budget,” which would require Google Ads accounts to supplement funds.
Figure 2: Google Ads accounts advertised on a cybercrime forum
Cybersixgill also collected another recent message from this forum on which a member with a 4/10 reputation score posted specifically about Google Ads malvertising. This forum member expressed interest in acquiring traffic to a landing page, offering to pay upfront and share revenues from the malicious operation and directing potential partners to get in touch for more information and prices. As this post illustrates, there appears to be significant demand on the underground for the type of malvertising-oriented service that BatLoader provides.
Figure 3: Google Ads malvertising service on a cybercrime forum
Malvertising via Google Ads can drive traffic to malicious websites that drop malware and generate access to victims’ systems, opening the door to further attacks. BatLoader, and similar malware loaders that abuse Google Ads, can deliver payloads with Vidar stealer, the Ursnif banking trojan, and Cobalt Strike. Ultimately, BatLoader-style campaigns can lead to theft of sensitive information, security breaches, malware infections, and ransomware attacks. Abuse of legitimate tools, such as Google Ads and Cobalt Strike, is a common practice among threat actors who constantly try to misuse tools for malicious purposes
The BatLoader threat is especially problematic in light of the highly realistic impostor sites threat attackers can generate, which leverage typosquatting to fool visitors into believing they are visiting legitimate sites. In addition to the dangers of malware deployment, typosquatting can also damage actual URL holders’ reputations, since their brand may now be identified in victims’ minds with cybercriminal activity.
To combat typosquatting and malvertising-based attacks, organizations should:
Instruct personnel to verify URLs before downloading software or taking other actions on sites to which they have been directed by Google Ads.
Use virtual machines (VM) for users who download software from suspicious/unknown sources.
Train employees not to click on links or attachments from suspicious emails.
Implement regular security training to raise employee awareness so that social engineering attacks can be thwarted.