THE Elastic Security Labs analysis reveals a new Windows loader called OXLOADER responsible for distributing the CASTLESTEALER infostealer through malicious Google Ads. The key points include:
- OXLOADER evades detection via sophisticated obfuscation techniques and checks to avoid virtual machine environments, targeting primarily Russian-speaking users.
- The malware employs a multi-stage infection process, starting from malevolent advertisements that lead users to download a batch script launching the loader.
- Technical measures taken by OXLOADER involve self-modifying code and misuse of the Windows `.reloc` section to execute malware without detection.
- Analysis suggests the need for vigilance towards this stealthy malware due to its advanced evasion tactics and low detection rates.
- Related tactics and techniques employed by threat actors include malvertising, user execution of malicious files, and developing shellcode for in-memory execution.