Abusing Google DoubleClick for DesckVB RAT Delivery — Detection Guide

Security researchers have identified a sophisticated campaign where threat actors abuse the reputation of Google’s ad-serving infrastructure to bypass perimeter defenses. According to The Hacker News, this specific Phishing operation utilizes the DoubleClick domain to redirect users toward attacker-controlled servers, ultimately installing the DesckVB RAT on the victim’s machine. By nesting malicious links within a trusted ecosystem, the attackers significantly increase the likelihood that their initial lures will pass through automated email security gateways without being flagged as high risk.

Analysis of DesckVB RAT Delivery via Google DoubleClick Mechanisms

The core of this threat lies in the exploitation of trust. Many enterprise EDR and secure web gateway (SWG) solutions prioritize traffic from established domains like doubleclick.net. The TTP identified involves an “open redirect” vulnerability or a similar misconfiguration that allows attackers to append a destination URL to a legitimate Google link. When a user clicks the link in an email, their browser first visits the legitimate Google domain before being automatically forwarded to a site hosting the malware downloader.

This bypass technique is particularly effective against standard blacklisting methods. Because the initial connection is encrypted via TLS and originates from a globally recognized service provider, it rarely triggers alerts for suspicious destination reputation. Once the redirect is processed, the victim’s system initiates a secondary download of a ZIP or ISO file, which contains the components necessary to execute the DesckVB payload. This method demonstrates how actors exploit the administrative overhead of managing allow-lists for content delivery networks.

Technical Capabilities of the DesckVB RAT

DesckVB is a remote access trojan that grants attackers extensive control over an infected host. Once active, the malware establishes C2 communication to receive instructions, such as file exfiltration, keylogging, or further payload delivery. Analysts have noted that the RAT often employs obfuscation techniques to hide its presence from local scanners. This type of threat is dangerous for organizations as it facilitates long-term persistence and can serve as a precursor to more damaging activities, including Ransomware deployment or Lateral Movement within the internal network.

The malware is designed to interact with the Windows operating system at a low level, often attempting Privilege Escalation if it finds the initial user account lacks administrative rights. By capturing screenshots and monitoring user activity, the operators of DesckVB can identify high-value targets within a corporate hierarchy, making it a potent tool for corporate espionage and data theft.

How to Detect DesckVB RAT Infection

Defenders must look beyond simple domain reputation to identify this threat. To effectively detect DesckVB RAT infection, SOC teams should monitor for unusual outbound connections following visits to ad-related domains. While the initial request to DoubleClick is normal, a rapid, automated transition to an unknown IP address or a non-standard top-level domain (TLD) is a strong indicator of compromise.

Security teams should also utilize the MITRE ATT&CK framework to map the observed behaviors. Specifically, looking for “T1204.002 - User Execution: Malicious File” and “T1071.001 - Application Layer Protocol: Web Protocols” can help in creating specific SIEM alerts. Behavioral patterns such as a browser process launching a PowerShell script or a command-line utility should be treated as high-priority incidents, as these are rarely legitimate actions following an advertisement redirect.

Malspam Campaign Mitigation Strategies

Mitigating this threat requires a multi-layered approach that addresses both the delivery mechanism and the payload execution phase:

• Implement URL Rewriting and Sandbox Inspection: Use advanced email security tools that perform deep inspection of URLs, following all redirects to the final destination before allowing the user to access the site.
• Disable Unnecessary Scripting Hosts: Prevent common malware delivery formats by restricting the execution of .vbs, .js, and .ps1 files from user-writable directories like Downloads or AppData using Group Policy Objects (GPO).
• Configure Application Whitelisting: Use Zero Trust principles to ensure that only authorized binaries can execute within the environment, effectively neutralizing the DesckVB payload even if it is successfully downloaded.
• Monitor for Open Redirect Abuse: Filter inbound emails that contain DoubleClick or other ad-related links containing suspicious URL parameters, such as those beginning with http inside the query string.

By focusing on these malspam campaign mitigation strategies, organizations can reduce their attack surface and prevent the initial access phase of the DesckVB infection lifecycle.