A New Malspam Campaign Exploiting Google’s DoubleClick Vulnerability
In an increasingly sophisticated digital landscape, a newly identified malspam campaign is leveraging Google’s DoubleClick ad-tracking infrastructure, allowing it to effectively bypass enterprise-level email security gateways. This alarming development was uncovered by cybersecurity researchers at Huntress, highlighting the rapidly evolving tactics employed by malicious actors.
The primary mechanism behind this malicious endeavor is the use of highly personalized and dynamic lures that serve to initiate a complex, five-stage infection chain. This chain strategically dismantles local defenses before deploying process-hollowed payloads, making it a formidable threat to organizations worldwide.
At the initial stage of the attack, the victim receives a malicious HTML attachment, typically labeled as Bestellung_2026.html, a German term meaning “order.” Upon opening this attachment, the user is promptly redirected through an instantaneous meta-refresh to a legitimate URL associated with Google’s DoubleClick—specifically, ad.doubleclick[.]net. Due to the high reputation of this domain, most secure email gateways (SEGs) and URL reputation filters permit passage without further scrutiny, thus enabling the attacker’s vicious plot to unfold undetected.
Once redirected, the strategy employed by the malspam campaign is particularly insidious. It employs on-the-fly personalization techniques to craft a convincing and dynamically tailored lure. The webpage accesses the target’s email address from the URL fragment and reconstructs company branding in real time by retrieving logos through services like Clearbit, logo.dev, and Google Favicons. Notably, there is no hardcoded organization-specific data, which renders this malicious infrastructure highly scalable and economical for cybercriminals.
In its quest for further legitimacy, the attack also utilizes ipapi[.]co to display the victim’s local time and location, further enhancing the user’s trust in the malicious webpage. In cases where the email fragment is not detected, the site redirects to Bing, effectively thwarting automated analysis systems that might be monitoring this activity.
When a victim clicks on the lure’s “Download PDF” button, it triggers the delivery of a ZIP archive containing a heavily obfuscated JScript file. This marks the beginning of the intricate five-stage infection process: starting from the HTML lure, moving to the JScript dropper, followed by the PowerShell stager, the .NET loader, and culminating in the process-hollowed payload.
Upon execution, the JScript relocates to the C:\Users\Public\ directory, repairs a base64-encoded blob, and drops an obfuscated PowerShell script that operates as a defensive tripwire. This script performs connectivity checks against Google and actively seeks out any sandbox tools like Wireshark, any.run, or OllyDbg. If these analysis environments are detected, the script executes a command to reboot the host, thereby disrupting any investigative efforts in progress.
The campaign’s most technically advanced component is a .NET loader obtained from an attacker-controlled server. Once it confirms that the environment is secure, this loader methodically dismantles local security safeguards. It accomplishes this by patching the Antimalware Scan Interface (AMSI) at the native API level—specifically targeting NtManageHotPatch on Windows 11 24H2 builds. Additionally, it silences telemetry from Event Tracing for Windows (ETW) by manipulating EtwEventWrite within the ntdll.dll file.
In another layer of sophistication, the loader deactivates Microsoft Defender’s real-time protection and establishes persistence through the use of RunOnce registry keys disguised with NVIDIA-themed names. It employs standard RunPE process-hollowing techniques to inject the final payload into well-known legitimate processes like InstallUtil.exe and MSBuild.exe.
Researchers at Huntress have also disclosed that command and control (C2) communication transpires over raw TCP on port 7211 to DDNS-based servers, utilizing AES-encrypted messages for secure communication. During its initial beacon stage, the malware specifically enumerates any attached NVIDIA and AMD GPUs through Windows Management Instrumentation (WMI), further showcasing the campaign’s technical prowess.
Indicators of Compromise
In terms of identification, several key indicators of compromise (IoCs) have been documented. Examples include the command and control domains xtadts.ddns[.]net and afxwd.ddns[.]net, and specific payload delivery endpoints. Many of these IoCs allow cybersecurity teams to block and monitor potential threats effectively.
Mitigation Strategies
To counteract such sophisticated threats, several mitigation strategies are recommended:
-
Group Policy Configuration: Forcing script files like
.js,.vbs, and.htato open in Notepad by default restricts execution without user intervention. -
Email Gateway Sandboxing: Adopting solutions capable of inspecting attachments and links prior to delivery can add a layer of security.
-
Alerting Protocols: Alerting on
wscript.exespawning encoded PowerShell from theC:\Users\Public\directory can enhance threat detection. -
Monitoring Child Processes: Actively watching for script files executing as child processes of
explorer.execan provide crucial insights about potential compromises. - Email Authentication: Implementing robust SPF, DKIM, and DMARC policies is essential to reduce the risk of spoofing attacks.
Given the alarming sophistication of this malspam campaign, it is imperative for organizations to not only enhance their defensive frameworks but also to remain vigilant in monitoring and responding to such evolving threats in the cybersecurity landscape.