Hackers are increasingly using ad tools and marketing gimmicks to try and stand out from the crowd, new research from HP Wolf Security has claimed.

In the marketing and advertising world, user interaction is one of the key performance indicators, and professionals use different tools to see which ads people click on more, and which ads they ignore – allowing them to optimize their messages and campaigns for maximum impact.

Now, according to HP Wolf Security’s latest Threat Insights Report, hackers are doing something similar. Observing the DarkGate campaign, the researchers saw threat actors using malicious PDF attachments, posing as OneDrive error messages, which direct users to sponsored content hosted on popular ad networks.

Delivering DarkGate

The end-goal for this campaign is to deliver DarkGate, a piece of malware first spotted in 2018, that now comes with a wide variety of tools. Generally speaking, DarkGate is a loader, allowing threat actors to deploy more dangerous malware in later stages of the compromise. However, some researchers pointed out that DarkGate is also capable of stealing credentials from the target endpoints, and granting remote access. 

By using ad services, the researchers further explain, threat actors can also analyze which of their lures generate most interest among their targets, helping them hone their campaigns and improve their efficiency.

They’re also using CAPTCHA tools, preventing sandboxes from scanning their malware and making sure only actual humans click.

Elsewhere in the report, HP Wolf Security says the trend of moving away from macro-enabled Office attacks is still ongoing. However, this type of attacks still has its place, “particularly for attacks leveraging cheap commodity malware like Agent Tesla and XWorm”.

Finally, PDF malware is on the rise, with 11% of malware analyzed in Q4 2023 using PDFs to deliver the payload, up from just 4% in Q1 and Q2 of the same year. A notable example, the researchers said, was a WikiLoader campaign using a fake parcel delivery PDF to trick users into installing Ursnif malware.

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

8670 cedar hammock circle 232.