Cyber 'ad-versaries' adopt professional marketing techniques

A new report from HP Wolf Security shows cybercrime groups are using professional advertising tools to optimize their malware campaigns and convince users to take the bait.

The report identifies the DarkGate campaign which uses ad tools to sharpen attacks. Malicious PDF attachments, posing as OneDrive error messages, direct users to sponsored content hosted on a popular ad network. This leads to DarkGate malware which hands backdoor access to cybercriminals into networks, exposing victims to risks like data theft and ransomware..

By using ad services, threat actors can analyze which lures generate clicks and infect the most users, helping them refine campaigns for maximum impact. Threat actors can also use CAPTCHA tools to prevent sandboxes from scanning malware and stopping attacks by ensuring only humans click.

The report also shows that in Q4, at least 84 percent of attempted intrusions involving spreadsheets, and 73 percent involving Word documents, sought to exploit vulnerabilities in Office applications -- continuing the trend away from macro-enabled Office attacks. But macro-enabled attacks still have a place, particularly for attacks leveraging cheap commodity malware like Agent Tesla and Xworm.

PDF malware is on the rise too. 11 percent of malware analyzed in Q4 used PDFs to deliver malware, compared to just four percent in Q1 and Q2 of 2023. A notable example was a WikiLoader campaign using a fake parcel delivery PDF to trick users into installing Ursnif malware.

Alex Holland, senior malware analyst in the HP Wolf Security threat research team, says, "Cybercriminals are becoming adept at getting into our heads and understanding how we work. For instance, the design of popular cloud services is always being refined, so when a fake error message appears, it won't necessarily raise an alarm, even if a user hasn't seen it before. With GenAI generating even more convincing malicious content at little-to-no cost, distinguishing real from fake will only get harder."

Among other findings archives were the most popular malware delivery type for the seventh quarter running, used in 30 percent of malware analyzed by HP. At least 14 percent of email threats identified by HP Sure Click bypassed one or more email gateway scanners. The top threat vectors in Q4 were email (75 percent), downloads from browsers (13 percent) and other means like USB drives (12 percent).

The full report is available from the HP Wolf site.

Photo credit: sindlera / Shutterstock