Search This Blog

Ransomware Group DEV-0569 Exhibits Remarkable Innovation, Microsoft Issues a Warning

Researchers say DEV-0569 regularly uses creative discovery techniques to lure victims.


There are many types of ransomware and they generally start with spam and then move to infect the system with ransomware. 

As per a report published by the computing giant this week, the DEV-0569 cyberattack group, tracked by Microsoft Security Threat Intelligence, has been spotted enhancing its detection, detection evasion, and post-compromise payloads as it continues to advance its detection capabilities. 

A specific characteristic of DEV-0569 is that it uses malvertising and phishing links in spam emails and fake forum pages to convince the recipient to download a malware downloader masquerading as a software installer or update, the Microsoft researchers added. 

As a result of the group's innovations in just a few months, the Microsoft team was able to observe the group's actions. These included hiding malicious links in contact forms and burying fake installers on legitimate download sites. They also used Google ads to mask the group's malicious activity through their advertising campaigns. 

The Microsoft team explained that the malware payloads for DEV-0569 are encrypted and delivered as signed binaries, according to their report. In recent campaigns, the group has also been seen to use the open-source tool NSUDO in an attempt to disable antivirus solutions, as the group is well-known for relying heavily on defense evasion techniques to get around defenses. 

DEV-0569 has proven successful, and Microsoft Security described the group as a platform where other ransomware operations can use DEV-0569 as an access broker. 

Cyberattacks: How Ingenuity Can Counter Them 

Apart from the new tricks, Mike Parkin, senior technical engineer at Vulcan Cyber, notes that the threat group effectively adjusts its campaign tactics along the edges. Despite this, they depend on users making mistakes during the process. The key to ensuring a successful defense program is to educate the user, according to Mike Parkin. 

Dark Reading reports that the phishing and malvertising attacks reported here entirely depend on the user interacting with the lure to make the attacks successful. As a consequence, when the user does not interact with the system, there is no security threat. 

According to Mike, Security teams need to keep an eye on the latest exploits and malware being deployed in the wild to stay ahead of the game, alongside a certain level of user awareness and education is necessary for the user community to become a solid line of defense instead of being the main attack surface. 

Controls in IAM are important 

IAM controls are an important part of RSA's identity and access management (IAM) team recommendations, according to Robert Hughes, RSA CISO. 

Despite the inability to prevent malware at the human and endpoint level, strong identity and access governance can assist in controlling the spread of malware. This can limit its impact. For instance, Hughes says that it is possible to stop authorized individuals from clicking a link or installing software that they are authorized to install. This is done by preventing them from clicking on a link. Having your data and identities protected from ransomware attacks will help to mitigate the damage that could be caused by such attacks in the future - and it will also make it easier to re-image your endpoints when it comes to resolving the issue. 

As Phil Neray of CardinalOps confirms, we are on the right track. According to him, security teams must also focus on minimizing the fallout after a hacker successfully downloads and executes a ransomware attack. This means that techniques like malicious Google Ads are tough to defend against.

"For instance, if this is the case, Neray recommends making sure the SoC is capable of detecting suspicious or unauthorized behavior, such as privilege escalation and the use of remote management and admin tools like PowerShell that live off the land," Neray says.
Share it:

Cyber Threats


Vulnerabilities and Exploits

Vulnerability and Exploits