Cybercriminals have developed a sophisticated malspam campaign that leverages Google’s DoubleClick ad-tracking service to distribute a fileless .NET loader, effectively bypassing traditional email security measures. This method utilizes trusted Google infrastructure to mask malicious activities, making detection more challenging.
According to Cyber Security News, the attack initiates with a malicious email containing an HTML attachment titled ‘Bestellung_2026.html’—German for ‘purchase order’—indicating a possible focus on German-speaking businesses. This HTML file employs a zero-second meta-refresh redirect, seamlessly guiding the recipient’s browser to a DoubleClick URL hosted on ad.doubleclick[.]net. Given DoubleClick’s reputation, many email security systems fail to flag this redirect as suspicious.
Upon reaching the DoubleClick URL, victims are redirected to a personalized phishing page that extracts the recipient’s email address from the URL, dynamically incorporates the company’s logo, and displays the user’s city and local time to enhance credibility. The page prompts the user to download what appears to be a PDF file; however, clicking the download button delivers a ZIP archive containing the actual malware payload.
The ZIP file includes a JScript file that initiates a multi-stage infection process. Initially, the script relocates itself to a stable directory and decodes an obfuscated PowerShell script. This PowerShell script checks for an active internet connection and scans for analysis tools like Wireshark. If the system appears offline or such tools are detected, the script forces a system reboot to evade detection.
Subsequently, the PowerShell script downloads a .NET loader that operates entirely in memory using .NET reflection. This loader injects itself into legitimate, Microsoft-signed system processes such as InstallUtil.exe or MSBuild.exe, allowing it to execute malicious code under the guise of trusted applications. Notably, the main payload does not write any recognizable malicious files to disk, complicating detection efforts.
This campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms to disseminate malware. Organizations must remain vigilant, implementing advanced threat detection systems capable of identifying such sophisticated attacks. Regular employee training on recognizing phishing attempts and scrutinizing unexpected emails is also crucial in mitigating these threats.
Source: Cyber Security News
