Threat actor behind the development of ROYAL ransomware tracked by Microsoft as DEV-0569 mostly relies on malvertising, fake forum pages, phishing pages, blog comments. Microsoft team noticed continuous development and innovation of new attack vectors and defense evasion . These tactics allow the threat actor to increase the reach-ability .
DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. In the past few months, Microsoft security researchers observed the following tweaks in the group’s delivery methods:
Use of contact forms on targeted organizations’ websites to deliver phishing links
Hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and
Expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic
These methods allow the group to potentially reach more targets and ultimately achieve their goal of deploying various post-compromise payloads. DEV-0569 activity uses signed binaries and delivers encrypted malware payloads. The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns.
In its blog, share details of DEV-0569’s tactics, techniques, and procedures (TTPs) and observed behavior in recent campaigns, which show that DEV-0569 will likely continue leveraging malvertising and phishing for initial access. We also share preventive measures that organizations can adopt to thwart DEV-0569’s delivery methods involving malicious links and phishing emails using solutions like Microsoft Defender SmartScreen and Microsoft Defender for Office 365, and to reduce the impact of the group’s follow-on activities. Microsoft Defender for Endpoint detects the DEV-0569 behavior discussed in this blog, including the code signing certificates in use and the attempts to disable Microsoft Defender Antivirus.
Microsoft post this in his post
No comments:
Post a Comment