Royal Ransomware deployed by DEV-0569

A report from Microsoft Threat Intelligence reported about a threat actor goes with the name DEV-0569 developed new tools to deliver the Royal ransomware

With the temporary name ‘DEV-####’ , meaning they are unsure about its origin or identity, typically relies on malvertising and phishing link vectors.

A malware downloader called BATLOADER, posing as legitimate software installers such as TeamViewer, Adobe Flash Player and Zoom, or updates embedded in spam emails, fake forum pages, deploy the Royal ransomware and is being distributed by multiple threat actors.

Once launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.

Microsoft also noticed that DEV-0569 started using contact forms to deliver its payloads. In one particular campaign, DEV-0569 sent a message to targets using the contact form on these targets’ websites, posing as a national financial authority. When a contacted target responds via email, DEV-0569 replies with a message that contained a link to BATLOADER.

DEV-0569 started hosting fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads look authentic to targets, and an expansion of their malvertising technique by using Google Ads in regular campaigns, effectively blending in with normal ad traffic.

Microsoft noted the activity last month where DEV-0569 used the open-source NSudo tool to attempt to disable antivirus solutions.

Microsoft made some mitigation recommendations to reduce the impact of the DEV-0569 threat:

• Encourage users to use web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware
• Turn on network protection to block connections to malicious domains and IP addresses
• Use Attack simulation training in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks
• Practice the principle of least privilege and maintain credential hygiene
• Avoid the use of domain-wide, admin-level service accounts. Restricting local administrative privileges can help limit the installation of RATs and other unwanted applications.
• Turn on cloud-delivered protection and automatic sample submission on your antivirus
• Turn on tamper protection features to prevent attackers from stopping security services