Saturday, October 12, 2024
HomeCyber Security NewsHackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Hackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Published on

Malware protection

The cybersecurity researchers at Trend Micro recently identified that the Blackcat Ransomware (aka ALPHV) actors are using malvertising tricks to spread fake WinSCP installers via Targeted Attack Detection (TAD) service.

In these advertising campaigns, the threat actors lured their victims by using the cloned web pages of legitimate organizations.

Google Ads boosts sales by targeting audiences with tailored ads, driving traffic for businesses. 

- Advertisement - SIEM as a Service

While in this case, threat actors make use of these platforms to launch malvertising campaigns that exploit keyword hijacking to trap search engine users with malicious ads and distribute malware stealthily.

Blackcat Ransomware Infection Chain

Delaying intervention would have severely impacted the enterprise, considering the threat actors’ acquisition of domain admin privileges and establishment of backdoors, leading to significant consequences.

Infection Chain
Infection chain (Source – Trend Micro)

Upon searching “WinSCP Download” on Bing, the user encounters a deceptive ad promoting the application positioned above the organic search results. Clicking the ad redirects to a suspicious website featuring a tutorial on automated file transfers via WinSCP.

Suspicious site (Source – Trend Micro)

After landing on the initial page, the user is sent to a cloned WinSCP download site:- 

  • winsccp[.]com

Clicking “Download” initiates an ISO file download from an infected WordPress page:-

  • hxxps://events[.]drdivyaclinic[.]com

While the final payload URL was later switched to the file-sharing service 4 shared by the malicious actor.

Malicious Download Site

Once the victim clicks, they get an ISO file with “setup.exe” and “msi.dll” – the former tempts the user to open it, while the latter acts as the triggered malware dropper.

Malicious Download Site
Download site (Source – Trend Micro)

Upon executing setup.exe, it triggers msi.dll, extracting a Python folder from the DLL RCDATA section, and also functioning as the genuine WinSCP installer for installation.

The process includes installing a trojanized python310.dll and establishing persistence through a run key named “Python” with the following value:-

  • C:\Users\Public\Music\python\pythonw.exe
The run key (Source – Trend Micro)

A modified obfuscated python310.dll file is loaded on successful execution of pythonw.exe. The python310.dll file includes a Cobalt Strike beacon, which establishes a connection to a C2 server.

With Cobalt Strike operational, executing scripts, retrieving tools for lateral movement, and intensifying the compromise becomes effortless.

Tools used

Here below we have mentioned all the tools that are used by the Blackcat Ransomware (aka ALPHV):-

  • Curl
  • PsExec
  • PowerShell commands
  • PowerView
  • BitsAdmin
  • AdFind
  • AccessChk64
  • Findstr
  • PuTTY Secure Copy
  • AnyDesk
  • Python scripts
  • KillAV BAT

Apart from this, ALPHV also employed SpyBoy “Terminator,” it’s a tool that disables EDR and antivirus solutions.

Recommendations

Here below we have mentioned all the recommendations offered by the researchers:-

  • Take necessary steps to educate employees on recognizing and avoiding phishing attacks.
  • Keep a close watch on activities and maintain detailed logs.
  • Set specific criteria to determine what qualifies as regular network traffic for day-to-day operations.
  • Focus on enhancing incident response procedures and improving overall communication efforts.
  • Collaborate with experienced cybersecurity researchers and professionals to get more advanced security improvement ideas.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...