Of all the root causes of ransomware, malicious advertising (malvertising) is probably not a threat vector most CISOs lose much sleep over.
Malvertising, it is assumed, is old school: Criminals buy keyword advertising on a search engine, luring anyone who clicks on a rogue link to sites offering a range of bad possibilities.
It sounds almost too simple to be true and for years the technique has been a minor player in the ransomware toolkit behind more conventional and successful approaches such as email phishing or the exploitation of vulnerabilities.
Malvertising Change Is Coming
Now, evidence has emerged that this might be changing. A recent malvertising campaign documented by Trend Micro is a case in point. The object of this campaign was simple: Lure IT people to malware-infected versions of popular tools (the AnyDesk remote desktop or WinSCP file transfer utility) using pay-per-click ads served from ad networks using Bing or Google.
The ads are front and center and the sites landed on by users following them look legitimate unless you look closely at the URLs. However, the ISO files on offer are infected, designed to compromise the victim’s computer.
It’s hard to assess the purpose of the infection—Trend Micro’s security blocked the infection before it was executed—but the company believes it to be connected to the BlackCat (ALPHV) ransomware.
Separately, security company Sophos has uncovered a campaign it calls “Nitrogen” that seems to be pursuing the same technique of offering links to legitimate tools that end with infection. Again, the assumption is that the outcome would be a ransomware attack.
Said Trend Micro:
“It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence.”
Malvertising Equals Click for Trouble
The tactic is cheap and requires zero effort. Many people—including trained security folks—assume that search engines can filter out this sort of stuff, especially if it’s served via ads. Most of the time, that’s true—ad networks serve legitimate ads. However, the criminals feed in small numbers of rogue ads through third-party ad networks in the hope they won’t be blocked, which, clearly, they sometimes aren’t.
The rise of this tactic suggests that it works often enough to be worth it; buy a few ads and eventually someone will download the infected file. Once that happens, the only thing stopping the criminals is whatever endpoint security is being used by the victim. Search engines are not a magically clean space—this much has been clear for at least 20 years. Organizations need to be wary. The right way to download a tool is to visit a verifiable developer site. There is no easy shortcut to a secure network.