image of breaking badness
Breaking Badness
Breaking Badness

147. DOUBLEBACK in Black

Coming up this week on Breaking Badness. Today we discuss: MalVirtuoso, One Love for OneNote, and Two Truths and a Lie.

Here are a few highlights from each article we discussed:


  • In the past month, a number of malware families are using Google Ads to spread badness masquerading as legitimate downloads
  • These bad actors had been having success with phishing via Word Documents, but they made the shift to to Google Ads
    • This article makes the assertion that “malvertising” as it’s being called, has been around for quite a while. 
    • Why are we seeing it recently? It’s a numbers game for anyone in any sort of business. They must be seeing they’re getting good results 
    • There are a lot of anti-phishing measures in email gateways that catch old tricks 
    • So why not look at diversifying? 
    • You are paying for this service, but it’s likely they’re probably using others’ money 
  • Which brands are affected by this?
    • We’ve seen Adobe Reader, Slack, Microsoft Teams, and a few others targeted for impersonation on Google Ads
    • We’ll likely see this expand to other brands
    • When you think about what the lure is for these, it’s usually about what the download will be – either for personal or business use
      • You find it with productivity tools, but you can also see instances of gaming downloads as well, so it’s safe to assume this will spread to others
      • The reporter for the article needed to draw the line somewhere – they can’t be expected to list all brands out ;) 
  • This threat was reported by Sentinel One and is called MalVirt, but what does it do?
    • At the moment, it’s being used to distribute malware called XLoader, which runs on both Windows and macOS
      • XLoader *sounds* like its job is to download later post-exploit tooling, but it mainly seems to be stealing credentials and other sensitive information from infected devices at this point
      • One of the interesting things in this article was the main download site they mention, downloadstudio[.]net, did something that very few malicious domains accomplish: it’s well inside the top million domains, per our ranking algorithm that replaces the erstwhile Alexa service. It’s 124k and change and it’s been around since 2019
  • Why doesn’t Google just fix this?
    • They’re probably getting better at it over the years, but so are bad actors – it’s a cat and mouse thing
  • How can folks protect themselves?
    • Basically just stop using the Internet other than listening to Breaking Badness
      • Everything was fine when we were using phone books ;) 
    • In all seriousness, we’ve been leery of sponsored links
      • If there’s a specific brand associated with the link, check the domain
      • We try to go past those links to the organic results 
      • If you have to download Microsoft Teams (as an example), just go to their website and download it from there
      • Of course, not every sponsored link is bad, but you really have to be mindful of what you’re clicking on

One Love for OneNote

  • Hackers are using Microsoft OneNote attachments in phishing emails to spread malware and password stealers
  • So what is Microsoft OneNote?
    • It’s the Microsoft standard note taking tool that allows you to add images, videos, links, visuals, and more
    • It’s installed instantly with Microsoft Office 
  • There’s been an uptick recently, but ProofPoint would say this has been going on since December 2022 – still a fairly new attack
    • We’ve seen similar attacks in the past to other tools, but now we’re just seeing it with OneNote
    • ProofPoint believes we’re seeing this uptick with OneNote as bad actors have experimented with different techniques to avoid detection
    • December was a popular month to begin these attacks as some of the messages in the campaign alluded to “Christmas bonuses” or “Christmas gifts” making it more enticing to the victim
    • The targets in December were primarily those in the Education sector, while attacks in January didn’t have specific targets or organizations 
  • The ProofPoint team noted that the campaigns deliver AsyncRAT malware, Redline, AgentTesla, and DOUBLEBACK
  • What’s the best way for people to protect themselves?
    • There’s simple things to turn on to block access 
    • But a lot of this is getting picked up, so that’s good news
    • ProofPoint stresses that these attacks are only successful if potential victims actually engage with the attachment, so organizations need to educate their users on these threats and to report suspicious emails and attachments

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale


[Taylor]: 2.5/10 Hoodies
[Tim]: 3.5/10 Hoodies

One Love for OneNote

[Taylor]: 3.5/10 Hoodies
[Tim]: 4/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!