The cybersecurity researchers at Trend Micro recently identified that the Blackcat Ransomware (aka ALPHV) actors are using malvertising tricks to spread fake WinSCP installers via Targeted Attack Detection (TAD) service.
In these advertising campaigns, the threat actors lured their victims by using the cloned web pages of legitimate organizations.
Google Ads boosts sales by targeting audiences with tailored ads, driving traffic for businesses.
While in this case, threat actors make use of these platforms to launch malvertising campaigns that exploit keyword hijacking to trap search engine users with malicious ads and distribute malware stealthily.
Blackcat Ransomware Infection Chain
Delaying intervention would have severely impacted the enterprise, considering the threat actors’ acquisition of domain admin privileges and establishment of backdoors, leading to significant consequences.
Upon searching “WinSCP Download” on Bing, the user encounters a deceptive ad promoting the application positioned above the organic search results. Clicking the ad redirects to a suspicious website featuring a tutorial on automated file transfers via WinSCP.
After landing on the initial page, the user is sent to a cloned WinSCP download site:-
- winsccp[.]com
Clicking “Download” initiates an ISO file download from an infected WordPress page:-
- hxxps://events[.]drdivyaclinic[.]com
While the final payload URL was later switched to the file-sharing service 4 shared by the malicious actor.
Malicious Download Site
Once the victim clicks, they get an ISO file with “setup.exe” and “msi.dll” – the former tempts the user to open it, while the latter acts as the triggered malware dropper.
Upon executing setup.exe, it triggers msi.dll, extracting a Python folder from the DLL RCDATA section, and also functioning as the genuine WinSCP installer for installation.
The process includes installing a trojanized python310.dll and establishing persistence through a run key named “Python” with the following value:-
- C:\Users\Public\Music\python\pythonw.exe
A modified obfuscated python310.dll file is loaded on successful execution of pythonw.exe. The python310.dll file includes a Cobalt Strike beacon, which establishes a connection to a C2 server.
With Cobalt Strike operational, executing scripts, retrieving tools for lateral movement, and intensifying the compromise becomes effortless.
Tools used
Here below we have mentioned all the tools that are used by the Blackcat Ransomware (aka ALPHV):-
- Curl
- PsExec
- PowerShell commands
- PowerView
- BitsAdmin
- AdFind
- AccessChk64
- Findstr
- PuTTY Secure Copy
- AnyDesk
- Python scripts
- KillAV BAT
Apart from this, ALPHV also employed SpyBoy “Terminator,” it’s a tool that disables EDR and antivirus solutions.
Recommendations
Here below we have mentioned all the recommendations offered by the researchers:-
- Take necessary steps to educate employees on recognizing and avoiding phishing attacks.
- Keep a close watch on activities and maintain detailed logs.
- Set specific criteria to determine what qualifies as regular network traffic for day-to-day operations.
- Focus on enhancing incident response procedures and improving overall communication efforts.
- Collaborate with experienced cybersecurity researchers and professionals to get more advanced security improvement ideas.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
