Saturday, February 15, 2025
HomeCyber Security NewsHackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Hackers use Cloned pages of Popular Tools to Deliver Blackcat Ransomware

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at Trend Micro recently identified that the Blackcat Ransomware (aka ALPHV) actors are using malvertising tricks to spread fake WinSCP installers via Targeted Attack Detection (TAD) service.

In these advertising campaigns, the threat actors lured their victims by using the cloned web pages of legitimate organizations.

Google Ads boosts sales by targeting audiences with tailored ads, driving traffic for businesses. 

While in this case, threat actors make use of these platforms to launch malvertising campaigns that exploit keyword hijacking to trap search engine users with malicious ads and distribute malware stealthily.

Blackcat Ransomware Infection Chain

Delaying intervention would have severely impacted the enterprise, considering the threat actors’ acquisition of domain admin privileges and establishment of backdoors, leading to significant consequences.

Infection Chain
Infection chain (Source – Trend Micro)

Upon searching “WinSCP Download” on Bing, the user encounters a deceptive ad promoting the application positioned above the organic search results. Clicking the ad redirects to a suspicious website featuring a tutorial on automated file transfers via WinSCP.

Suspicious site (Source – Trend Micro)

After landing on the initial page, the user is sent to a cloned WinSCP download site:- 

  • winsccp[.]com

Clicking “Download” initiates an ISO file download from an infected WordPress page:-

  • hxxps://events[.]drdivyaclinic[.]com

While the final payload URL was later switched to the file-sharing service 4 shared by the malicious actor.

Malicious Download Site

Once the victim clicks, they get an ISO file with “setup.exe” and “msi.dll” – the former tempts the user to open it, while the latter acts as the triggered malware dropper.

Malicious Download Site
Download site (Source – Trend Micro)

Upon executing setup.exe, it triggers msi.dll, extracting a Python folder from the DLL RCDATA section, and also functioning as the genuine WinSCP installer for installation.

The process includes installing a trojanized python310.dll and establishing persistence through a run key named “Python” with the following value:-

  • C:\Users\Public\Music\python\pythonw.exe
The run key (Source – Trend Micro)

A modified obfuscated python310.dll file is loaded on successful execution of pythonw.exe. The python310.dll file includes a Cobalt Strike beacon, which establishes a connection to a C2 server.

With Cobalt Strike operational, executing scripts, retrieving tools for lateral movement, and intensifying the compromise becomes effortless.

Tools used

Here below we have mentioned all the tools that are used by the Blackcat Ransomware (aka ALPHV):-

  • Curl
  • PsExec
  • PowerShell commands
  • PowerView
  • BitsAdmin
  • AdFind
  • AccessChk64
  • Findstr
  • PuTTY Secure Copy
  • AnyDesk
  • Python scripts
  • KillAV BAT

Apart from this, ALPHV also employed SpyBoy “Terminator,” it’s a tool that disables EDR and antivirus solutions.

Recommendations

Here below we have mentioned all the recommendations offered by the researchers:-

  • Take necessary steps to educate employees on recognizing and avoiding phishing attacks.
  • Keep a close watch on activities and maintain detailed logs.
  • Set specific criteria to determine what qualifies as regular network traffic for day-to-day operations.
  • Focus on enhancing incident response procedures and improving overall communication efforts.
  • Collaborate with experienced cybersecurity researchers and professionals to get more advanced security improvement ideas.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...