RomCom
ransomware
is
being
spread
via
poisoned
Google
adverts
for
legitimate
software
companies
including
Chat-GPT,
PDF
Reader
Pro
and
Devolutions’
Remote
Desktop
Manager.
According
to
researchers
at
IT
security
company
Trend
Micro,
malicious
actors
are
using
Google
advertisements
for
trusted
companies
to
entice
people
into
clicking
on
the
advert
and
downloading
RomCom
ransomware
onto
their
devices.
The
malicious
actors
are
doing
this
through
the
use
of
fake
sites
set
up
to
look
like
legitimate
ones
with
poisoned
uploads
that
execute
the
malware
on
victims’
devices
once
it
is
downloaded.
By
using
paid
advertisements
slots
and
SEO
tactics,
malicious
actors
can
ensure
that
the
poisoned
uploads
remain
at
the
top
of
Google’s
search
results,
meaning
that
more
people
are
likely
to
fall
victim
to
these
trojanized
adverts.
RomCom
ransomware
has
been
linked
to
a
Cuban
ransomware
affiliate
dubbed
‘Tropical
Scorpius’
by
Trend
Micro.
The
malware
is
responsible
for
a
number
of
attacks
across
the
globe,
including
those
against
Ukrainian
government
agencies
in
October
2022.
Once
it
is
downloaded
onto
a
device,
the
backdoor
malware
can
cause
damage
to
victims
in
a
number
of
ways,
including
executing
more
malicious
files
on
the
infected
device,
running
malicious
programs
and
exfiltrating
data
from
the
compromised
devices.
It
can
also
run
spyware
in
hidden
windows,
set
up
proxy
servers
for
malicious
activities
and
even
compress
and
send
files
on
the
infected
device
to
servers
owned
by
the
malicious
actors.
RomCom
ransomware
also
has
the
ability
to
take
screenshots
on
the
device,
meaning
that
any
confidential,
personal
or
compromising
information
entered
into
the
device
can
be
used
by
the
hackers
for
their
own
means.
This
includes
gaining
access
to
financial
services
like
banks,
cryptocurrency
wallets
and
other
payment
services,
access
chat
messages
stored
on
the
device
and
steal
all
login
credentials
entered
into
the
device.
Bumblebee
ransomware
spread
via
poisoned
Google
ads
In
April
of
this
year,
it
was
found
that
malicious
actors
were
employing
SEO
tactics
and
paying
for
targeted
advertisements
to
entice
victims
into
clicking
on
malware.
Cyber
security
company
Secureworks
found
malicious
actors
had
been
using
poisoned
ad
installers
as
trojans
to
spread
Bumblebee
malware.
These
ad
installers
were
associated
with
a
number
of
well-known
companies
including
Zoom,
Citrix
Workspace,
Cisco
AnyConnect
and
OpenAI’s
ChatGPT.
For
example,
Secureworks
researchers
found
that
a
malicious
actor
had
not
only
created
a
poisoned
ad
installer
for
Cisco
AnyConnect,
but
a
fake
download
page
for
the
malware
as
well.
They
were
able
to
do
this
by
exploiting
a
compromised
WordPress
site.
Once
Bumblebee
malware
is
downloaded,
malicious
actors
most
often
use
it
to
launch
ransomware
within
the
infected
device.
In
one
case,
Secureworks
researchers
found
that
the
malicious
actor
moved
laterally
across
the
device,
downloading
and
launching
a
number
of
applications
and
software
programs
including
legitimate
remote
access
tools
AnyDesk
and
Dameware
as
well
as
penetration
testing
malware
Colbalt
Strike.
About Author
