Throughout the years, we’ve seen cybercriminals resort to all kinds of schemes to deliver malware and harvest sensitive information. Phishing attacks are the most common, but abusing Google Ads has also become very popular among threat actors. This brings us to the recent campaign involving the BATLOADER malware.
This particular malware leverages fake Google Ads that lure victims into downloading certain files, resulting in delivering secondary payloads like Vidar Stealer and Ursnif.
It’s a simple trick. The fake Google Ads will show up as a wide range of legitimate apps and services. But in reality, they’re BATLOADER. What do we know about this campaign? Find out below.
Fake Google Ads – Loading the BAT
As we mentioned, utilizing Google Ads to implement malicious practices has become a very popular method for threat actors to infiltrate systems.
In fact, a couple of months ago, a similar campaign saw cybercriminals taking advantage of this service to lure users searching for popular software products.
The problem here is that the threat actors behind the campaign know what they’re doing. They make sure that whatever the victim is searching for appears at the top of the search results.
Not only does this show legitimacy, but it also guarantees a click. BATLOADER isn’t new to the malicious scene.
The malware has been around for quite some time now, spreading next-stage malware such as information/banking stealers, Cobalt Strike, and even ransomware.
This particular malware thrives when it comes to perfectly impersonating certain software. The cybercriminals behind it always set up lookalike websites that host Windows installer files masquerading as legitimate apps.
In this campaign, these fake applications are probably the most popular ones on the internet today. We’re referring to the likes of Adobe, OpenAPI’s ChatGPT, Spotify, Tableau, and Zoom.
The installer files will execute Python scripts that contain the BATLOADER payload, which on its end, retrieves the next-stage malware from the threat actors’ remote server.
According to cybersecurity company eSentire:
“BATLOADER continues to see changes and improvement since it first emerged in 2022. BATLOADER targets various popular applications for impersonation.
This is no accident, as these applications are commonly found in business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions.”
The statement says it all. BATLOADER has been improving ever since it saw the light back in 2022. Unfortunately, it doesn’t seem to be stopping anytime soon.
A BATLOADER to Be Feared – Google Ads Utilized Once More
Threat actors have been utilizing several services to commit their malicious practices. Google Ads have been used as a lure for a long time now, and it seems to be very effective up till now.
These types of campaigns are pretty dangerous, especially due to the fact that they can fool just anyone. Whenever you search for a service, make sure it’s a legitimate one. Don’t just download any file that you stumble upon.