February 15, 2024 at 03:35AM
Cyber criminals are increasingly using ad networks to optimize malware campaigns, making their social engineering attacks more effective. They exploit legitimate ad tech tools to deploy malware, evade detection, and collect analytics on click rates. The HP Wolf Security report also highlights a rise in PDF-based malware delivery and a shift towards exploiting cloud services and office exploits.
The meeting notes highlight a concerning trend in cybercriminal activities, as reported by HP Wolf Security. It appears that cyber baddies are utilizing ad networks to measure malware deployment and evade detection, making their social engineering attacks more effective. Notably, these criminals have adopted ad tech tools, applying them to optimize their malware campaigns in a manner akin to a business managing a marketing campaign.
One specific example of this tactic is the DarkGate PDF malware campaign, which uses ad tools to provide backdoor access to victim’s computers for data theft and ransomware. This campaign involves sending email messages with malicious PDF attachments, often accompanied by a social engineering message designed to prompt the victim to click a link to download the document.
The attackers exploit the familiarity of office workers with cloud-based applications, creating fake interface elements and error messages that are difficult to detect. By utilizing an ad network as a proxy, the attackers can evade detection and collect analytics on who clicks their links, a tactic that makes it challenging for automated malware analysis systems to scan the payload accurately.
Furthermore, the report from HP Wolf Security indicates a significant increase in the use of PDFs for malware delivery, with 11 percent of analyzed malware in Q4 2023 relying on PDFs, up from 4 percent in Q1 and Q2 of the same year. The WikiLoader campaign is provided as an example, spreading the Ursnif malware through a fake parcel delivery PDF.
In addition to the PDF-based attacks, the report highlights a shift towards more Office exploits and fewer macro-enabled attacks, as well as the hosting of malware on cloud services to take advantage of the trust users place in these platforms. The Remcos remote access trojan is cited as an example, utilizing platforms such as Discord and TextBin for hosting and fetching malicious files.
Despite the evolving sophistication of these attacks, Ian Pratt, the global head of security for personal systems at HP, emphasizes the importance of adhering to zero trust principles to counter well-resourced threat actors. Organizations are advised to isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads to protect against these cyber threats.