DEV-0569, a threat group/actor that Microsoft is tracking has become quite nimble in its tactics, which includes the deployment of Royal ransomware and other malicious payloads. According to Microsoft, DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation. Current behaviors currently attributed to DEV-0569 include, but are not limited to:
- Malvertising, including the incorporation of Google Ads to blend in with normal traffic.
- The use of contact forms on targeted organizations’ websites to deliver phishing links.
- Hosting fake installer files on legitimate-looking software download sites such as TeamViewer, Adobe Flash Player, Zoom, and AnyDesk and on legitimate repositories such as GitHub and OneDrive to make malicious downloads look authentic to target.
- The use of file formats like Virtual Hard Disk (VHD) impersonating legitimate software for first-stage payloads.
- Using PowerShell and batch scripts for downloading malware payloads or remote management tools to maintain persistence or proliferate ransomware.
- Tampering with antivirus products in an attempt to disable them.
User education goes a long way to help protect against these tactics and techniques that often begin with some form of social engineering. Additionally, to help limit damage when users do fall victim, members are encouraged to verify or implement appropriate cybersecurity controls to protect from the plethora of behaviors currently attributed to DEV-0569, such as:
- Maintaining positive credential hygiene, including MFA.
- Implementing the principle of least-privilege.
- Restricting/limiting widespread use of local administrative privileges.
- Avoiding the use of domain-wide, admin-level service accounts.
Visit Microsoft for more.