People walk past blank advertising frames hung up in a subway station

Malvertising: A stealthy precursor to infostealers and ransomware attacks

This article is based on research by Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, who oversees data collection from spam feeds and telemetry to identify the most relevant threats.

Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing.

New research from the Malwarebytes Threat Intelligence team shows over 800 malvertising-related attacks in 2023 so far alone, an average of almost 5 attacks per day. But even these are only the ones reported by security researchers—in reality the number is much higher.

Our research indicates that malvertising ads often deliver infostealer malware such as IcedID, Aurora Stealer, and BATLOADER among others. These programs steal credentials from users’ browsers or computers, sowing the seeds for a future ransomware attack. 

Malvertising attack count throughout 2023

Ransomware gangs often buy stolen credentials from other cyber criminals involved in the dirty work of initial access brokering. In the case of malvertising, the chain of events looks something like this:

  1. Malvertising campaigns infect users with infostealers.
  2. Infostealers harvest user credentials.
  3. Stolen credentials are sold in underground forums.
  4. Ransomware actors buy these credentials to infiltrate networks.

Alternatively, some ransomware gangs have been observed use malvertising themselves to launch an attack on a victim machine directly.

The Royal ransomware group, for example, used malvertising to disguise BATLOADER as legitimate installers for applications like TeamViewer. BATLOADER then drops a Cobalt Strike Beacon as a precursor to the ransomware execution. 

For organizations looking to nip the malvertising-ransomware connection in the bud, however, perhaps the biggest challenge is how hard malvertising can be to spot. Threat actors often impersonate the official brand name and website in the ad snippet, making attacks extremely deceptive for the average user.

Can you spot the typo in this malvertising attempt? 

Even experts at Google have struggled to identify malicious redirects from an ad, underscoring the fact that malvertising is a nuanced, technical problem that requires advanced tools to spot.

In other words, your defense strategy against malvertising shouldn’t hinge entirely on your team recognizing brand impersonation. Instead, focus on equipping your team with advanced security tools to do the heavy lifting.

Some of the main tools you can use to prevent malvertising include:

  • Vulnerability and patch management software: Malvertising often exploits known vulnerabilities in systems, applications, or browsers. These tools can help ensure that web browsers (including plug-ins) are up-to-date with the latest security patches.
  • Web protection applications: Since malvertising campaigns often rely on connecting to malicious servers to download additional malware or steal information, blocking these connections can stop the attack in its tracks.
  • Ad blockers: These can filter out potential malvertising threats and prevent hazardous content from loading. Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers.

Download the Malwarebytes Threat Intelligence Threat Brief today for comprehensive insights on malvertising and its role in stealing credentials.

Download Now