Defending Against UNC2975: Team Effort by Managed Defense, Advanced Practices, and Google Anti-Malvertising
Cyber Security Threat Summary:
Earlier this year, Mandiant's Managed Defense threat hunting team discovered a malicious advertising (malvertising) campaign linked to UNC2975, a threat actor group. The campaign involved sponsored search engine results and social media posts, using fake websites related to "unclaimed funds." The attackers leveraged malvertising to distribute PAPERDROP and PAPERTEAR downloader malware, leading to the deployment of the DANABOT and DARKGATE backdoors.
In their investigation, Mandiant pinpointed various malware families, such as PAPERDROP, PAPERTEAR, DANABOT, and DARKGATE. UNC2975 utilized advanced methods like impersonation and cloaking to circumvent Google Ads verification. The malevolent ads specifically aimed at users conducting searches related to "unclaimed money.”
Security Officer Comments:
Victims, upon clicking the ads, were directed to fake websites prompting them to enter personal information. These sites delivered ZIP archives containing Visual Basic scripts (PAPERDROP and PAPERTEAR). UNC2975 used different delivery chains to download and execute secondary payloads, including DANABOT and DARKGATE.
Mitigation:
The cybersecurity entity Managed Defense partnered with Advanced Practices and the Google Anti-Malvertising team to eliminate harmful advertisements and notify impacted organizations. UNC2975, operational since 2021, established deceptive websites centered around themes such as unclaimed money and family ancestry. Initially leveraging social media, UNC2975 expanded its tactics to include Microsoft and Google advertising.
Suggested Correction(s):
https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-backdoors