Last month, a malware loader known as BATLOADER was seen abusing the Google Ads contextual advertising service to deliver secondary payloads such as Vidar Stealer and Ursnif. According to eSentire, malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI, Spotify, Tableau and Zoom.
BATLOADER, as the name suggests, is a loader that is responsible for spreading malware in the next stage. For example, information thieves, banking malware, and even ransomware.
One of the key features of BATLOADER is the use of software imitation tactics to deliver malware. This effect is achieved by setting up similar websites that host Windows Installer files masquerading as legitimate applications. This allows hackers to trigger an infection sequence when a user looking for legitimate software clicks on a fraudulent ad on a Google search results page.
Installation files in ".msi" format execute Python scripts containing the BATLOADER payload when run. Next, the malware of the next stage is downloaded to the victim's computer.
Other BATLOADER samples analyzed by eSentire experts contained additional features that allow malware to establish its persistence in corporate networks.
“Cybercriminals are abusing the Google ad network by buying ad space for popular keywords and related misspellings,” cybersecurity firm Malwarebytes noted in July 2022.
“BATLOADER has continued to undergo changes and improvements since its first release in 2022. The malware intentionally impersonates other applications that are often found on business networks,” said eSentire.