Miscreants turn to ad tech to measure malware metrics

Now that's what you call dual-use tech

Cyber baddies have turned to ad networks to measure malware deployment and to avoid detection, according to HP Wolf Security.

The security group's Q4 2023 Threat Insights Report finds criminals have adopted ad tech tools to make their social engineering attacks more effective.

"Cyber criminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait," explained Ian Pratt, global head of security for personal systems at HP, in a statement.

The DarkGate PDF malware campaign, for example, relies on ad tools. Dating back to 2018, DarkGate provides backdoor access to victim's computers for the purpose of data theft and ransomware.

The campaign involves sending email messages to victims with malicious PDF attachments. Those duped into opening one see a social engineering message – often in the form of a Microsoft OneDrive error message that prompts the victim to click a link to download the document.

The report explains that this often works because the attackers know that office workers rely on cloud-based applications with user interfaces that often change. This makes it more difficult to spot fake interface elements or bogus error messages.

Clicking on the fake OneDrive error message does not immediately download the malware payload. Rather, it routes the victim's click – containing identifiers and the domain hosting the file – through an advertising network and then it fetches the malicious URL, which is not evident in the PDF.

"Using an ad network as a proxy helps the attacker to evade detection and collect analytics on who clicks their links," the report explains. "Since the advertising network uses CAPTCHAs to verify real users to prevent click fraud, it's unlikely automated malware analysis systems would be able to scan the malware payload, leading to the risk of falsely classifying the file as safe."

According to HP Wolf Security, 11 percent of malware analyzed in Q4 2023 relied on PDFs for delivery – up from 4 percent in Q1 and Q2 that same year. As an example, the security biz points to the WikiLoader campaign, which used a fake parcel delivery PDF to spread malware known as Ursnif.

The security biz also notes that it's seeing more Office exploits and fewer macro-enabled attacks. During Q4, about 84 percent of attempted intrusions incorporated spreadsheets, while 73 percent involved Word documents

Finally, the report notes that attackers continue to host malware on cloud services as a way to benefit from the trust users may place in these platforms. The analysts point to the Remcos remote access trojan, which relies on a user downloaded JavaScript file hosted on chat service Discord. The malicious file then connects to file sharing service TextBin to fetch a Base64 encoded executable hosted there.

While the attacks may be more sophisticated, Pratt's advice for countering them remains the same: "To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links, and browser downloads." ®

More about


Send us news

Other stories you might like