Monday, December 23, 2024
HomeCyber Security NewsHackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Hackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Published on

SIEM as a Service

The cybersecurity researchers at Trend Micro recently identified that the Blackcat Ransomware (aka ALPHV) actors are using malvertising tricks to spread fake WinSCP installers via Targeted Attack Detection (TAD) service.

In these advertising campaigns, the threat actors lured their victims by using the cloned web pages of legitimate organizations.

Google Ads boosts sales by targeting audiences with tailored ads, driving traffic for businesses. 

- Advertisement - SIEM as a Service

While in this case, threat actors make use of these platforms to launch malvertising campaigns that exploit keyword hijacking to trap search engine users with malicious ads and distribute malware stealthily.

Blackcat Ransomware Infection Chain

Delaying intervention would have severely impacted the enterprise, considering the threat actors’ acquisition of domain admin privileges and establishment of backdoors, leading to significant consequences.

Infection Chain
Infection chain (Source – Trend Micro)

Upon searching “WinSCP Download” on Bing, the user encounters a deceptive ad promoting the application positioned above the organic search results. Clicking the ad redirects to a suspicious website featuring a tutorial on automated file transfers via WinSCP.

Suspicious site (Source – Trend Micro)

After landing on the initial page, the user is sent to a cloned WinSCP download site:- 

  • winsccp[.]com

Clicking “Download” initiates an ISO file download from an infected WordPress page:-

  • hxxps://events[.]drdivyaclinic[.]com

While the final payload URL was later switched to the file-sharing service 4 shared by the malicious actor.

Malicious Download Site

Once the victim clicks, they get an ISO file with “setup.exe” and “msi.dll” – the former tempts the user to open it, while the latter acts as the triggered malware dropper.

Malicious Download Site
Download site (Source – Trend Micro)

Upon executing setup.exe, it triggers msi.dll, extracting a Python folder from the DLL RCDATA section, and also functioning as the genuine WinSCP installer for installation.

The process includes installing a trojanized python310.dll and establishing persistence through a run key named “Python” with the following value:-

  • C:\Users\Public\Music\python\pythonw.exe
The run key (Source – Trend Micro)

A modified obfuscated python310.dll file is loaded on successful execution of pythonw.exe. The python310.dll file includes a Cobalt Strike beacon, which establishes a connection to a C2 server.

With Cobalt Strike operational, executing scripts, retrieving tools for lateral movement, and intensifying the compromise becomes effortless.

Tools used

Here below we have mentioned all the tools that are used by the Blackcat Ransomware (aka ALPHV):-

  • Curl
  • PsExec
  • PowerShell commands
  • PowerView
  • BitsAdmin
  • AdFind
  • AccessChk64
  • Findstr
  • PuTTY Secure Copy
  • AnyDesk
  • Python scripts
  • KillAV BAT

Apart from this, ALPHV also employed SpyBoy “Terminator,” it’s a tool that disables EDR and antivirus solutions.

Recommendations

Here below we have mentioned all the recommendations offered by the researchers:-

  • Take necessary steps to educate employees on recognizing and avoiding phishing attacks.
  • Keep a close watch on activities and maintain detailed logs.
  • Set specific criteria to determine what qualifies as regular network traffic for day-to-day operations.
  • Focus on enhancing incident response procedures and improving overall communication efforts.
  • Collaborate with experienced cybersecurity researchers and professionals to get more advanced security improvement ideas.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...