Listen to this Post
Introduction:
Cybercriminals have devised a sophisticated new malspam campaign that exploits Google’s legitimate DoubleClick ad-tracking domain to bypass security filters and deliver a powerful remote access trojan (RAT). By routing victims through a trusted Google domain, attackers significantly lower the likelihood of detection before deploying the fileless .NET-based DesckVB RAT, which grants them full control over compromised machines. This incident highlights the escalating trend of abusing trusted, reputable services to evade traditional security measures and the critical importance of a defense-in-depth strategy.
Learning Objectives:
– Understand the multi-stage infection chain that leverages Google DoubleClick for initial compromise.
– Analyze the technical mechanisms of DesckVB RAT, including its fileless execution, persistence methods, and anti-analysis features.
– Implement defensive measures across email security, endpoint hardening, and network monitoring to detect and block such attacks.
You Should Know:
1. Dissecting the DesckVB RAT Infection Chain
The attack begins with a phishing email containing a seemingly benign HTML file attachment. When opened, this HTML file uses a `meta-refresh` redirect to send the victim to a Google DoubleClick Campaign Manager click-tracking URL (`ad.doubleclick[.]net`). Because this domain is considered trusted by most security tools, it often bypasses URL filters. The DoubleClick link then acts as a stepping stone, redirecting the user to an attacker-controlled server that decodes a Base64-encoded email address from the referral data. This decoded information is used to dynamically generate a personalized phishing landing page, complete with the victim’s company branding and location, making the lure highly convincing without requiring manual customization for each target.
Once the victim clicks a “Download PDF” button on this page, the server responds with a ZIP archive containing a JavaScript loader. This loader retrieves and executes a .NET-based RAT while employing evasion techniques to fly under the radar. The JavaScript stage writes a PowerShell script into the `C:\Users\Public` directory, which then fetches a .NET loader from an external server. This loader is a key component of the fileless attack, verifying it is not being analyzed, neutralizing security controls, and setting up persistence using process hollowing to inject the main RAT payload into Microsoft-signed processes.
Step‑by‑step Guide: Emulating the Initial HTML Redirect
To understand how the initial redirection works, a security analyst can create a simple test HTML file that mimics the first stage:
1. Create a Test HTML File: Open a text editor and save the following code as `test_redirect.html`.
<!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=https://ad.doubleclick[.]net/path?param=value" /> <title>Loading...</title> </head> <body> <p>Redirecting...</p> </body> </html>
2. Analyze the Redirect: Open this file in a browser while monitoring network traffic using a tool like Wireshark or the browser’s Developer Tools (F12 > Network tab).
3. Observe the Behavior: Note how the browser automatically follows the meta-refresh directive to the DoubleClick domain without any user interaction. In a real attack, this domain would then perform another redirect to the attacker’s landing page.
4. Defensive Test: Security teams can use this knowledge to create detection rules for HTML attachments that contain `meta-refresh` tags pointing to known redirector services or unexpected domains.
2. The Fileless Arsenal: AMSI, ETW, and Process Hollowing
DesckVB RAT is designed for stealth, operating primarily in memory to evade traditional file-based antivirus solutions. Upon execution, it immediately targets two critical Windows security features: the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). By patching these at the native API level, the trojan blinds Windows telemetry, preventing security products from receiving alerts about its malicious activities, including PowerShell or .NET script executions. This AMSI bypass is a common technique used by attackers to disable script scanning before it can flag their payloads.
The RAT uses a technique called process hollowing to inject its payload into a legitimate Microsoft-signed process, such as `svchost.exe` or `rundll32.exe`. This involves creating a new process in a suspended state, unmapping its original code, writing the malicious code into its memory space, and then resuming the process. From the system’s perspective, all activity appears to originate from a trusted Windows component, making it extremely difficult to detect. The malware also includes anti-analysis checks, such as terminating itself or rebooting the machine if it detects sandboxing or debugging tools, to avoid examination.
Step‑by‑step Guide: Detecting Process Hollowing with Sysinternals
Security analysts can use legitimate Windows tools to detect signs of process hollowing.
1. Download Process Explorer: Obtain Process Explorer from the Microsoft Sysinternals suite.
2. Enable Column Verification: Run Process Explorer as Administrator. Go to `View > Select Columns`. In the `Process Image` tab, add the `Verified Signer` column.
3. Monitor for Anomalies: Look for processes like `svchost.exe`, `rundll32.exe`, or `explorer.exe` that have a valid `Verified Signer` (e.g., “Microsoft Windows”) but are exhibiting suspicious behavior, such as establishing unexpected network connections or spawning child processes.
4. Check for Hollowed Processes: Use the `View > Show Lower Pane` and set the lower pane to `DLLs`. A hollowed process might have memory regions that do not correspond to any legitimate DLLs mapped from disk. Tools like `Sysmon` with Event ID 8 (`CreateRemoteThread`) can also provide alerts for this behavior.
3. Fortifying Windows: Group Policy and Hardening Strategies
Defense in depth is crucial to stop such multi-stage attacks. One of the simplest yet most effective mitigations against script-based malware is changing the default association for common scripting files (`.js`, `.vbs`, `.hta`) from the Windows Script Host to Notepad. This prevents the script from executing if a user inadvertently opens it and forces it to open as a text file for inspection instead. While this does not stop the initial HTML lure, it can cripple the later stages of the infection chain that rely on these scripts to download and execute the RAT.
On the email security front, organizations must implement SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent email spoofing and verify sender authenticity. Web and network protection tools, such as Microsoft Defender’s network protection, should be configured to block connections to known malicious domains and newly registered domains, as well as to filter URLs based on reputation. These layered controls create multiple hurdles that can stop an attacker before they ever gain a foothold.
Step‑by‑step Guide: Configuring Group Policy to Open Scripts in Notepad
This GPO prevents accidental execution of malicious scripts by opening them in a safe viewer.
1. Open Group Policy Management Console: Run `gpmc.msc` on a Domain Controller or `gpedit.msc` on a local machine.
2. Create a New GPO: Navigate to `Computer Configuration > Preferences > Control Panel Settings > Folder Options`.
3. Open the Folder Options Dialog: Right-click `Folder Options` > `New > Folder Options`. Under the `File Types` tab, locate `.JS` (JS File).
4. Set the Default Program: Select `.JS` and click `Edit`. In the `Edit File Type` dialog, set the default program to `Notepad`. You can also change the `Open` action command to `%SystemRoot%\system32\NOTEPAD.EXE %1`.
5. Apply and Repeat: Repeat this process for other risky file extensions like `.JSE`, `.VBS`, `.VBE`, `.HTA`, and `.PS1`. Link the GPO to the appropriate Organizational Unit (OU) and run `gpupdate /force` on target machines to apply the policy.
4. Command-Line Detection and Eradication
For incident responders, having a set of commands to quickly triage and identify indicators of compromise (IOCs) for DesckVB RAT is essential. These commands focus on checking for unusual autoruns, fileless payloads in memory, and specific persistence mechanisms.
Step‑by‑step Guide: PowerShell Commands for Detection
1. Check Suspicious Autostart Entries:
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, User | Format-List
Look for entries pointing to script files (`.js`, `.ps1`) in temporary or public directories.
2. Identify Fileless .NET Modules in Memory:
Get-Process | ForEach-Object { $_.Modules } | Where-Object { $_.FileName -like "AppData\Local\Temp\" -or $_.FileName -like "Users\Public\" } | Select-Object ProcessName, FileName, Size
This searches for loaded modules from unusual paths, which is a sign of a reflective .NET loader.
3. Check for AMSI/ETW Registry Tampering:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" | Select-Object Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-" | Select-Object
Look for missing or non-standard GUIDs that indicate patching by malware.
4. Review Scheduled Tasks for Persistence:
Get-ScheduledTask | Where-Object {$_.TaskPath -1otlike "Microsoft" -and $_.State -1e "Disabled"} | Select-Object TaskName, TaskPath, State
Attackers often create new scheduled tasks to maintain persistence, bypassing Run and RunOnce entries.
5. Network Hardening and URL Blocking
Since the attack leverages Google’s DoubleClick domain, simply blocking `ad.doubleclick[.]net` outright is not feasible for most organizations due to legitimate use. However, network administrators can implement a more granular approach to detect and block the redirection to final payload servers.
Step‑by‑step Guide: Implementing Network Protections
1. Enable Network Protection in Microsoft Defender:
– Open `Group Policy Management Editor` and navigate to `Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection`.
– Set the policy `Prevent users and apps from accessing dangerous websites` to `Enabled: Block`.
– This will use Microsoft’s cloud-based SmartScreen feed to block connections to known malicious domains in real-time.
2. Use PowerShell to Add a Custom URL Block:
For an immediate, albeit temporary, block using the Windows Hosts file:
Add a block for the final payload domain (replace with actual IOC) $hostsPath = "$env:windir\System32\drivers\etc\hosts" "0.0.0.0 malicious-payload-domain.com" | Out-File -FilePath $hostsPath -Append -Encoding ASCII
Note: This is a basic solution. For production, use network firewalls or web proxies with dynamic threat intelligence.
3. Configure Firewall Rules to Block Suspicious Outbound Traffic:
Block outbound connections on ports commonly used for raw TCP C2 communication.
New-1etFirewallRule -DisplayName "Block Uncommon C2 Ports" -Direction Outbound -Protocol TCP -LocalPort 4444,5555,6666,7777,8888 -Action Block
What Undercode Say:
– Trust as a Weapon: The abuse of Google DoubleClick underscores a growing trend where attackers weaponize legitimate, high-reputation services to gain initial access. This shifts the burden of detection away from simple signature-based tools and toward behavioral analysis and network traffic inspection.
– The Need for Layered Defenses: No single control can stop a fileless, multi-stage attack like this. Success depends on combining email authentication (DMARC, DKIM), endpoint hardening (Group Policy for script files), memory detection (monitoring for process hollowing), and network-level blocking to create a resilient security posture.
Prediction:
– +1 The adoption of trusted, legitimate services for redirection will intensify, with attackers exploring other ad networks, content delivery networks (CDNs), and cloud storage platforms to evade detection.
– -1 Fileless and in-memory execution techniques like process hollowing and AMSI/ETW patching will become standard features in commodity RATs, lowering the skill barrier for script kiddies and increasing the volume of stealthy attacks.
– +1 The security industry will respond by developing more robust behavioral detection engines and enriching threat intelligence feeds with indicators of initial redirectors, forcing attackers to innovate their initial access strategies.
– -1 Small and medium-sized businesses (SMBs) without dedicated security teams will remain highly vulnerable to these sophisticated campaigns, as they lack the resources to implement the necessary defense-in-depth measures.
– -1 As sandbox evasion techniques become more advanced, traditional automated analysis environments will face increasing difficulty in dissecting these multi-stage threats, leading to a resurgence in manual malware analysis.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Mohit Hackernews](https://www.linkedin.com/posts/mohit-hackernews_hackers-are-abusing-google-doubleclick-to-share-7467976492438962176-mGuD/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
