“BATLOADER, the malware downloader, has been seen abusing Google Ads to deliver secondary payloads such as Ursnif and Vidar Stealer.”

BATLOADER, the malware downloader, has been seen abusing Google Ads to deliver secondary payloads such as Ursnif and Vidar Stealer. 

Also Read, Google Collaborates with Ecosystem Partners to Enhance SoC Processor Security

eSentire, the cybersecurity firm says, malicious ads are employed to trick a wide array of legitimate apps and services like Spotify, Zoom, Tableau, Adobe, and OpenAPI's ChatGPT.

As the name says, BATLOADER is a loader that distributes next-level malware like banking malware, information stealers, Cobalt Strike, and even ransomware.

One of the significant features of malware is the use of software impersonation tricks for malware delivery.

eSentire said, "BATLOADER continues to see changes and improvement since it first emerged in 2022. BATLOADER targets various popular applications for impersonation. This is no accident, as these applications are commonly found in business networks and thus, they would yield more valuable footholds for monetization via fraud or hands-on-keyboard intrusions."

This is accomplished by setting up similar websites that host Windows installer files impersonating legitimate apps to provoke the infection sequence while a user looking for the software clicks a louse ad on Google’s SERP.

These MSI installer files, when rolled out, execute Python scripts that include the BATLOADER payload to recover the next-stage malware from a remote server. 

This style of working of the malware indicates a slight change from the earlier attack chains seen in December 2022, when the MSI installer files were used to run PowerShell scripts to download the stealer malware. 

When other malware samples were analyzed, eSentire revealed added capabilities that enable the malware to create entrenched access to enterprise networks.