Skip to content

D3F@ck Loader campaign exploits Google Ads as infection vector

  • by
  • 4 min read

Cybercriminals are distributing the D3F@ck Loader utilising Google Ads as a covert pathway to infiltrate systems. This showcases a troubling trend where hackers leverage trusted platforms to bypass critical security features, posing a significant risk to users worldwide.

The loader, first sighted on hacking forums in January 2024, has quickly gained notoriety for its ability to elude critical security measures deployed by major platforms such as Google Chrome, Edge, Windows Defender alerts, and SmartScreen.

Initially priced at $70 per day or $490 per week, this loader’s accessibility and effectiveness in evading detection have raised alarms among the cybersecurity community.

D3F@ck Loader advertisement on a hacker forum. | Source: eSentire.

Investigations from researchers have revealed alarming insight into the payload delivery mechanism of the D3F@ck Loader. The attack begins with threat actors leveraging Google Ads as the initial vector. They create deceptive ads or links that lead unsuspecting users to a compromised website harbouring the D3F@ck Loader.

Upon visiting the malicious website through the Google Ads link, the D3F@ck Loader is activated on the victim’s system. This loader can bypass crucial security features of major browsers and security tools.

D3F@ck Loader’s pricing. | Source: eSentire

Once active, the loader drops and executes additional malicious payloads. In observed cases, payloads like Raccoon Stealer and Danabot have been deployed, known for their malicious functionalities and data exfiltration capabilities.

The pricing model of the D3F@ck Loader varies based on factors like the need for an Extended Validation (EV) signature and payload size. EV certificates, with their stringent identity verification process by Certificate Authorities (CA), add an element of trust that aids in bypassing security measures effectively.

“Files signed with an EV certificate typically establish a trustworthy reputation faster than those signed with standard certificates or those that are unsigned. This advantage allows most malware to bypass SmartScreen warnings more effectively,” noted researchers.

Researchers have identified three malicious EV signatures associated with this threat: LLC Kama Lubricant Company, Ayog Tech Ltd, and Primalspeed Ltd.

To evade detection, threat actors often impersonate legitimate applications like Calendly and Rufus, hosting the malicious installer on platforms like MediaFire. This tactic aims to deceive users into downloading and executing the malicious payload unknowingly.

The loader impersonates legitimate applications like Rufus to trick users into downloading. | Source: eSentire

The D3F@ck Loader leverages Inno Setup along with Pascal scripting to create a deceptive installation process. Batch scripts are used to carry out operations discreetly, hiding files, retrieving URLs from the attacker’s Command and Control (C2) server, and executing commands to manipulate system directories.

The loader communicates with the attacker’s C2 server, sending updates on infection stages and receiving instructions for further actions. It retrieves additional payloads, such as .NET dropper, which infects malware into system processes, facilitating malicious activities.

Researchers have urged users to remain updated on the latest threat tactics, be cautious while clicking on Google Ads, and adopt safe browsing habits. For administrators, researchers have urged to apply the principle of least privilege. The attack shows a mix of social engineering and advanced tactics that can easily lure unsuspecting users into falling for the trap.

In the News: Germany accuses Russian-backed APT28 of cyber attack on SPD

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>