Professional Documents
Culture Documents
CORP Threat Brief Malvertising Ebook
CORP Threat Brief Malvertising Ebook
Malvertising
June 2023
2
Threat Brief: Malvertising
MALVERTISING AS A MALWARE
DELIVERY VECTOR
Malvertising is the use of online ads to
spread scams or malware. It has been
used by threat actors for years as both a
cost-efficient and precise delivery vector.
This simple cloaking technique has been In the screenshots below we see a fake the illusion that they installed what they
used for years and continues to be very website offering the PyCharm Python were looking for.
effective. software for download. We note that the
file size is over 400 MB, and that is not a However, that installer also contains a
Another evasion technique targets coincidence at all. malicious PowerShell script that will run
antivirus software. Malware authors silently and retrieve malware. Because it is
know that some security products have We also see another evasion technique a script and the download can be pointed
limitations such as the size of a given that is rather clever. In the example above to any location, the threat actor can once
file. For example, if a file is bigger than the file is an MSI installer that contains the more avoid detection.
100MB, it is not scanned. real piece of software, giving the victim
Count
vs Date
Threat Brief: Malvertising
Count
0
40
60
80
20
2
1/2023
1/2023
1/2023
to reach a peak in February 2023.
0 0 1
1/2023
7
1/2023
2
1/2023
1/2023
10
5
RANSOMWARE
1/2023
2
1/2023
8
1/2023
1/2023
29
1/2023
30
1/2023
73
1/2023
61
1/2023
45
17
1/2023
1/2023
10
1/2023
24
1/2023
45
2/2023
2/2023 31
32
2
2/2023
11
2/2023
7
2/2023
10
2/2023
45
2/2023
7
2/2023
7
2/2023
6
2/2023
1
2/2023
Date
0
2/2023
7
2/2023
11
2/2023
7
2/2023
3
2/2023
10
2/2023
1
2/2023
2/2023
2/2023
2/2023
0 0 0 0
2/2023
3
MALVERTISING AS A PRECURSOR TO
2/2023
These malvertising campaigns started in earnest around late November and ran for several months
2/2023
2/2023
0 0 0
2/2023
3
2/2023
2
2/2023
3/2023
3/2023
3/2023
0 0 0 0
3/2023
1
3/2023
3/2023
0 0
3/2023
5
3/2023
1
3/2023
5
3/2023
1
3/2023
7
8
Threat Brief: Malvertising
In the pie chart below, we show the most common searches leading to malicious ads: During that time, we observed the
following malware families being
dropped:
Top searches
• IcedID
• Aurora Stealer
IRS
Rufus • BatLoader
6.2%
18.3%
AnyDesk
• Vidar
6.2%
Thunderbird • Gozi
6.6%
• RedLine
TeamViewer NotePad++
6.6% 13.6% • PureCrypter
CPU-Z • Rhadamanthys
7.4%
Tor Browser
TradingView • Raccoon Stealer
13.2%
10.5% • NetSupport RAT
GIMP • FakeBat
11.3%
9
Threat Brief: Malvertising
Most of those threats are infostealers, collecting any credentials stored in the browser or the computer. Threat actors can
then leverage any stolen data to further monetize their victims. For example, an IcedID infection may lead to tools such as
Cobalt Strike being dropped.
Google GitLab
14.4% 13.5%
4sync
13.5%
Discord
BitBucket 21.6%
4.5%
DropBox
32.4%
In fact, ransomware groups are very interested in stolen credentials that often include RDP or VPN access that they can
use for initial access. This is not new; back in 2019 the Vidar stealer was combined with the GanCrab ransomware via
malvertising attacks.
10
Threat Brief: Malvertising
Learn more about what solutions your organization needs to prevent malvertising and ransomware.
Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Much more than malware remediations, the
company provides cyberprotection, privacy, and prevention to tens of thousands of consumers and organizations every day. For more information,
visit https://www.malwarebytes.com.
Copyright © 2023, Malwarebytes. All rights reserved. Malwarebytes and the Malwarebytes logo are trademarks of Malwarebytes. Other marks and brands may be claimed as the property of others.
All descriptions and specifications herein are subject to change without notice and are provided without warranty of any kind. 06/2023