Cybersecurity experts have identified a sophisticated malspam campaign that leverages Google’s DoubleClick domain to bypass security measures and deploy a remote access trojan (RAT) known as DesckVB RAT.
According to researchers Anna Pham and Adam Mooney from Huntress, the attack initiates by rerouting potential victims through DoubleClick, a domain owned by Google, which many security systems consider legitimate and therefore non-threatening.
The campaign’s unique strategy involves using a malspam kit that customizes itself by dynamically incorporating the victim’s email address, company branding, and location information, eliminating the need for tailored lures for each target.
Exploiting Google DoubleClick
The exploitation begins when a recipient opens an HTML file attached to a phishing email, prompting a redirect to a Google DoubleClick Campaign Manager URL. From there, the victim is led to a landing page that cleverly disguises itself with company-specific details.
The page features a deceptive ‘Download PDF’ button, which, when clicked, delivers a ZIP file containing a JavaScript loader. This loader initiates the download and execution of the .NET-based DesckVB RAT, effectively bypassing many security measures.
Technical Aspects of the Attack
The JavaScript loader is designed to remain undetected, executing a PowerShell script that retrieves a .NET loader. This loader verifies it is not being analyzed, disables security features, and ensures persistence by employing a process hollowing technique to inject the malware into legitimate processes.
Once activated, the RAT communicates with a command-and-control server, performing system reconnaissance and altering Microsoft Defender settings. It also patches native APIs to obscure its presence from Windows telemetry.
Implications and Prevention
The DesckVB RAT provides attackers with extensive control over compromised systems, capable of extracting data and executing commands. It includes mechanisms to hide its activities, such as detecting and responding to analysis environments by terminating operations.
To counter such threats, Huntress emphasizes the importance of a multi-layered defense strategy. Implementing Group Policy Objects to open script files in Notepad by default can thwart the initial stages of an attack. Additionally, deploying DMARC, DKIM, and SPF records can help prevent malicious emails.
On the organizational level, utilizing an email gateway that sandboxes attachments and links before delivery can add another protective layer, significantly reducing the risk of successful cyber attacks.
