BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads
Mar 11, 2023
Cyber Threat Intelligence
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire , the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom. BATLOADER , as the name suggests, is a loader that's responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware. One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page. These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to ...