Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Breach
2023
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors

Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors

Table of Contents

Incident Details

Mandiant's Managed Defense team discovered a malicious advertising campaign, labeled UNC2975, earlier this year. This campaign, which started around June 19, 2023, involved promoting malicious websites related to unclaimed funds through search engine manipulation and harmful advertisements. The impact of this campaign included the distribution of the DANABOT and DARKGATE backdoors to several organizations. Collaborating with Advanced Practices and the Google Anti-Malvertising team, Managed Defense successfully removed the malicious advertisements and notified affected parties to take necessary actions. This article discusses the recently uncovered infrastructure operated by the UNC2975 threat cluster, which has been under Mandiant's surveillance since 2021. The infrastructure utilized malicious ads to deceive users into visiting counterfeit "unclaimed funds" websites, ultimately leading to the installation of the PAPERDROP and PAPERTEAR downloader malware, further facilitating the DANABOT and DARKGATE malware. Additionally, this piece emphasizes how Mandiant's investigations have contributed to the elimination of harmful ad campaigns on Google's platforms.

Incident

How Did the Breach Happen?

The security breach occurred as a result of a malevolent advertising campaign, commonly referred to as malvertising, that endorsed harmful websites centered on unclaimed assets. This campaign capitalized on search engine traffic and utilized malicious ads to distribute the DANABOT and DARKGATE backdoor malware. By offering content related to 'unclaimed funds,' the malicious websites deceived users into accessing them.

What Data has been Compromised?

The breach does not specify the exact data that was compromised in the information provided. Nonetheless, it suggests that user data like names, state of residence, and possibly other personal information could have been obtained through the illicit websites.

Why Did the company's Security Measures Fail?

The specific cause of the company's security measures not succeeding is not explicitly stated in the information provided. Nevertheless, it is possible to infer that the malicious advertising campaign managed to circumvent or take advantage of weaknesses in the company's security safeguards, leading to the distribution of malware on the impacted systems.

What Immediate Impact Did the Breach Have on the company?

The breach instantly led to the introduction of the DANABOT and DARKGATE backdoor malware into the systems that were impacted. As a consequence, there is a risk of unauthorized entry to confidential data, data loss, and additional potential misuse of the systems that have been compromised.

How could this have been prevented?

Organizations can avoid future breaches by adopting thorough security practices such as continuous network monitoring, routine vulnerability scans, educating users about security measures, utilizing advanced threat detection tools. It is also crucial to stay current with security updates and regularly assess and update security protocols to enhance protection against potential breaches.

What have we learned from this data breach?

The significance of being proactive in monitoring, detecting, and responding to harmful advertising campaigns has been underscored by this data breach. Collaborating closely with security teams, threat intelligence providers, and advertising platforms is essential for organizations to minimize the effects of such campaigns and safeguard users against malware threats.

Summary of Coverage

Mandiant's Managed Defense threat hunting team identified and thwarted a malicious advertising scheme known as UNC2975 in 2023. This campaign was responsible for spreading backdoor malware through deceptive websites themed around 'unclaimed funds'. By utilizing search engine traffic and malicious ads, the attackers propagated the DANABOT and DARKGATE backdoors. Collaborating with various teams and Google's Anti-Malvertising unit, Mandiant successfully eradicated the harmful ads and notified affected entities. This incident underscores the importance of robust security protocols, vigilant surveillance, and cooperative efforts in thwarting malvertising endeavors.

Is your System Free of Underlying Vulnerabilities?
Find Out Now