CTI Roundup: FunkSec, Malvertising, and Fake Software

This week, CTI looks at a new ransomware group called FunkSec that emerged in late 2024. Next, CTI shares details of a new malvertising campaign targeting businesses and individuals advertising via Google Ads. Finally, CTI sheds light on how threat actors increasingly use fake software and installers to deliver infostealer malware.

FunkSec ransomware threatens victims globally

Researchers at Check Point Security are sounding the alarm about FunkSec — a new ransomware operation that appears to use AI to develop its malware.

According to Check Point, FunkSec claimed more than 85 victims in December. However, the legitimacy of these claims is questionable, as some of the available information is recycled from past leaks.

What is FunkSec ransomware?

Like many ransomware groups today, FunkSec uses double extortion tactics. However, unlike other groups, it appears to demand low ransoms, with some as low as $10,000.

A closer look into the group’s activities and discussions about the group on the dark web indicates that the group’s motivation straddles the line between cybercrime and hacktivism. Check Point also notes that inexperienced actors likely conduct the core operation of FunkSec. In addition to ransomware, the group offers a few other tools, including a smart password generation, a scraping tool, and a distributed denial of service (DDoS) tool.

FunkSec’s ransomware has quickly evolved, with each version published just a few days apart. The latest version, v1.5, claims to have a low detection rate. Check Point obtained a sample and determined that the development effort is ongoing and likely the work of a less experienced malware developer.

Check Point also discovered that all the versions of the ransomware they encountered were uploaded from Algeria, which could indicate the author’s identity and again suggests an inexperienced group.

AI-assisted malware development

FunkSec appears to rely heavily on AI capabilities to enhance its malware. Check Point noticed that their public script offerings have many code comments written in perfect English, likely to have been generated by an LLM agent. Similar patterns are seen in the source code linked to their ransomware, which is also believed to have been created with the help of AI.

In other messages published by the group, they link the ransomware development specifically to AI. This aligns with other public claims from the group, especially as they have released an AI chatbot to support their operations further.

[Read also: 4 critical leadership priorities for CISOs in the AI era]

How does FunkSec work?

Check Point did a deeper dive into the FunkSec ransomware samples currently in circulation and determined:

• At its core, FunkSec is a stripped Rust binary, which is more difficult to reverse engineer. Researchers were particularly surprised by the redundancy in the binary, as the control flow repeats and calls functions repeatedly.
• After the malware gains the necessary elevated privileges, it executes several commands to disable Windows Defender, security event logging, application event logging, and more. It also terminates processes found in a hardcoded list.
• The malware will cycle through each drive and encrypt every file that has one of the targeted file extensions. The encrypted files will have a .funksec extension. Afterward, the malware will write the ransom note to disk.

Analyst comments from Tanium’s Cyber Threat Intelligence team

FunkSec has claimed multiple victims since its emergence last month, though the legitimacy and accuracy of these claims are questionable.

Check Point’s research indicates that this group is not as sophisticated as others for a few reasons, particularly its extensive use of AI. Threat actors did not utilize AI last year as much as researchers had expected, at least not in advanced ways. It seems that actors primarily use AI due to a lack of skills rather than to create more complex malware and ransomware.

Malvertising scam targets Google Ads users

Malwarebytes recently released information about a new malvertising campaign targeting individuals and businesses that use Google Ads for advertising.

This campaign looks to steal Google Ads accounts by impersonating ads and directing the victims to phishing pages. Malwarebytes believes the overarching goal may be to sell these stolen accounts on underground forums for malicious use.

[Read also: What is social engineering in cybersecurity? A comprehensive guide]

How cybercriminals impersonate Google Ads

Malwarebytes first started noticing suspicious activity involving Google accounts by accident. The company traced the activity back to malicious ads for Google Ads.

The sponsored ad for Google Ads appears legitimate, but if you click on the three dots next to it to see more details about the advertiser, you can see that it is a compromised account. The ad says it is run by an advertiser identity verified by Google (which is true since it is a real account — just compromised), but the advertiser is a person’s name instead of Google itself.

Types of lures and phishing used

If a victim clicks on one of the malicious ads, they are taken to a page that closely resembles the Google Ads homepage. The site is hosted on “sites.google[.]com,” which enhances its legitimacy. On these pages, there is another button labeled “start now” that, when clicked, redirects the user to a phishing site. This page aims to steal the victim’s Google Ads credentials and send them to a remote server controlled by the threat actor.

Who is behind the Google Ads malvertising campaign?

Malwarebytes identified two groups of cybercriminals running the campaign:

1. The first group consists of Portuguese-speaking actors believed to be operating out of Brazil. Malwarebytes reported over 50 fraudulent Google ads that originated from this group in just a few days.
2. The second group utilizes advertising accounts from Hong Kong and is thought to be operating out of Asia. They employ a similar delivery chain, but the phishing kit itself varies.

Additionally, there is a third related campaign that depends on a fake CAPTCHA instead of Google sites.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Malwarebytes highlights, stolen Google Ads accounts hold significant value within the cybercriminal community, which explains the numerous campaigns exploiting these compromised accounts.

By compromising Google Ads accounts, threat actors evade the expenses involved in running fraudulent ads and instead shift that burden onto the compromised owner or business.

Malvertising has been on the rise for months, if not years, and this campaign serves as another reminder to be cautious about what you click on in search engine results, especially those that appear as sponsored ads.

Threat actors use fake software and installers to push malware

Trend Micro’s latest report examines the increasing threat posed by fake software and installers as a method for delivering infostealer malware.

According to Trend Micro, threat actors are leveraging YouTube and various social media sites to share links for fake installers while leveraging reputable file hosting services to hide the origin of the malware.

The actors often lure potential victims into downloading fake installers by creating profiles on platforms like YouTube. Trend Micro notes that these profiles frequently feature installation tutorials that further attract victims to click on malicious links in the video description or comments section. In one instance, the link in the comment section directs victims to another YouTube page where a download link for the fake installer appears.

If the victim clicks the fake installer link, a file will be downloaded from the legitimate MediaFire hosting site. In other observed cases, the threat was uploaded to the Mega file hosting site.

Trend Micro has also seen instances where victims inadvertently come across fake installers while searching for them via search engines. In these cases, the results are found on sites like OpenSea, an NFT marketplace, and SoundCloud, a music-sharing platform.

[Read also: Top 10 bold cybersecurity predictions for 2025]

Infection analysis examples of fake software installers

The report from Trend Micro on this threat analyzed two scenarios where the download process succeeded and the content executed smoothly, which offers valuable insights into the entire process.

1. Large installed file evasion
   In one case observed by Trend Micro, the unpacked installer file was 900 MB. This large file helps evade defenses and may bypass sandbox analysis, as it more closely resembles a legitimate installer file. The infection kicks off when the executable file within the .zip is triggered.
   
   Looking at one of the executed batch files, Trend Micro found that it contained obfuscated entries. After cleaning up the batch file, researchers found that it would build the AutoIt script by combining files and then executing it, resulting in additional files being dropped. It can then introduce process injection, steal data from browser environments, and establish a connection with multiple C2 addresses.
2. Compressed file download
   In another example, the infection started when the victim downloaded a compressed file from a known hosting site.
   
   Unpacking the file and inputting a password will execute the installer. This installer will spawn legitimate processes to inject code into, introduce AutoIt, and connect to its C2 to download more malware.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors have been using fake installers and cracked software to deliver malware for some time now, which reveals that it must be working to some degree.

The campaigns analyzed by Trend Micro are similar to those that misuse GitHub repository comments. These campaigns exploit the high level of trust users have in these platforms, making it increasingly crucial for individuals to be aware of what they are downloading.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.