In a concerning development, researchers at a leading Cyber Security firm have uncovered a sophisticated malvertising campaign conducted by the notorious BlackCat ransomware group, also known as ALPHV. The group has devised a cunning strategy to infect the computers of high-value targets, such as system administrators, web admins, and IT professionals, by luring them into downloading malware-ridden installers disguised as the widely-used WinSCP file-transfer application for Windows.
WinSCP, renowned for its secure file transfer capabilities and boasting 400,000 weekly downloads on SourceForge alone, has unwittingly become the focus of this elaborate attack. Exploiting the application’s popularity, BlackCat leverages malvertising campaigns on search engines like Google and Bing to manipulate search results. When unsuspecting victims search for “WinSCP Download,” they are presented with malicious links that lead to fake websites resembling the official WinSCP platform.
At first glance, these websites appear harmless, hosting tutorials on automated file transfers using WinSCP. However, once users attempt to download the software from these cloned websites, they unknowingly acquire an ISO file containing a lure executable, “setup.exe,” and a malware dropper named “msi.dll.” When executed, “setup.exe” triggers the malware dropper, which proceeds to extract a Python folder from the DLL RCDATA section, posing as a legitimate WinSCP installer.
The installation process further involves the deployment of a trojanized python310.dll file, along with the creation of a persistence mechanism through registry manipulation. Subsequently, a modified and obfuscated pythonw.exe executes the python310.dll, which harbors a Cobalt Strike beacon capable of establishing a connection with a command-and-control server operated by BlackCat.
Once inside the compromised system, ALPHV deploys a range of additional tools to deepen the compromise and facilitate lateral movement within the network. These tools include AdFind for Active Directory information retrieval, PowerShell commands for various tasks such as data gathering and script execution, AccessChk64 for user and group permission reconnaissance, Findstr for password searching within XML files, PowerView for Active Directory enumeration, Python scripts for password recovery and credential acquisition, as well as PsExec, BitsAdmin, and Curl for lateral movement. Moreover, ALPHV has been observed exploiting legitimate tools like AnyDesk, PuTTY Secure Copy client, and the SpyBoy “Terminator,” an EDR and antivirus disabler.
Researchers establishes a clear link between the observed tactics, techniques, and procedures (TTPs) and confirmed ALPHV ransomware infections. The discovery of a Clop ransomware file in one of the investigated command-and-control (C2) domains suggests that the threat actor may be affiliated with multiple ransomware operations.
The implications of this attack are alarming, as it directly targets individuals responsible for managing crucial corporate networks and systems. Organizations and individuals are urged to exercise heightened caution when downloading software, verifying the authenticity of websites, and implementing robust security measures to protect against such sophisticated threats.
It is essential for search engine providers, software developers, and security companies to collaborate closely to detect and mitigate such malicious campaigns promptly. Public awareness and education about the risks associated with malvertising and social engineering techniques will also play a critical role in defending against cyber threats of this nature.
