Friday, December 8, 2023

Hackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

The cybersecurity researchers at Trend Micro recently identified that the Blackcat Ransomware (aka ALPHV) actors are using malvertising tricks to spread fake WinSCP installers via Targeted Attack Detection (TAD) service.

In these advertising campaigns, the threat actors lured their victims by using the cloned web pages of legitimate organizations.

Google Ads boosts sales by targeting audiences with tailored ads, driving traffic for businesses. 

While in this case, threat actors make use of these platforms to launch malvertising campaigns that exploit keyword hijacking to trap search engine users with malicious ads and distribute malware stealthily.

Blackcat Ransomware Infection Chain

Delaying intervention would have severely impacted the enterprise, considering the threat actors’ acquisition of domain admin privileges and establishment of backdoors, leading to significant consequences.

Infection Chain
Infection chain (Source – Trend Micro)

Upon searching “WinSCP Download” on Bing, the user encounters a deceptive ad promoting the application positioned above the organic search results. Clicking the ad redirects to a suspicious website featuring a tutorial on automated file transfers via WinSCP.

Suspicious site (Source – Trend Micro)

After landing on the initial page, the user is sent to a cloned WinSCP download site:- 

  • winsccp[.]com

Clicking “Download” initiates an ISO file download from an infected WordPress page:-

  • hxxps://events[.]drdivyaclinic[.]com

While the final payload URL was later switched to the file-sharing service 4 shared by the malicious actor.

Malicious Download Site

Once the victim clicks, they get an ISO file with “setup.exe” and “msi.dll” – the former tempts the user to open it, while the latter acts as the triggered malware dropper.

Malicious Download Site
Download site (Source – Trend Micro)

Upon executing setup.exe, it triggers msi.dll, extracting a Python folder from the DLL RCDATA section, and also functioning as the genuine WinSCP installer for installation.

The process includes installing a trojanized python310.dll and establishing persistence through a run key named “Python” with the following value:-

  • C:\Users\Public\Music\python\pythonw.exe
The run key (Source – Trend Micro)

A modified obfuscated python310.dll file is loaded on successful execution of pythonw.exe. The python310.dll file includes a Cobalt Strike beacon, which establishes a connection to a C2 server.

With Cobalt Strike operational, executing scripts, retrieving tools for lateral movement, and intensifying the compromise becomes effortless.

Tools used

Here below we have mentioned all the tools that are used by the Blackcat Ransomware (aka ALPHV):-

  • Curl
  • PsExec
  • PowerShell commands
  • PowerView
  • BitsAdmin
  • AdFind
  • AccessChk64
  • Findstr
  • PuTTY Secure Copy
  • AnyDesk
  • Python scripts
  • KillAV BAT

Apart from this, ALPHV also employed SpyBoy “Terminator,” it’s a tool that disables EDR and antivirus solutions.


Here below we have mentioned all the recommendations offered by the researchers:-

  • Take necessary steps to educate employees on recognizing and avoiding phishing attacks.
  • Keep a close watch on activities and maintain detailed logs.
  • Set specific criteria to determine what qualifies as regular network traffic for day-to-day operations.
  • Focus on enhancing incident response procedures and improving overall communication efforts.
  • Collaborate with experienced cybersecurity researchers and professionals to get more advanced security improvement ideas.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles