IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. 

The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past

The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

Clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attackers also hosted a seemingly legitimate PuTTY help article page on the same domain (putty.org), likely to deflect suspicion.  

The attacker distributes a malicious archive named “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).

Once executed, setup.exe side-loads a malicious DLL (python311.dll) that further loads a legitimate DLL (python3.dll) to act as a proxy for its malicious functionality. 

It hides the malware’s activity, improves its stability, and then utilizes techniques from the AntiHook and KrakenMask libraries for further evasion, where AntiHook allows the malware to identify and bypass hooks placed by security software, while KrakenMask spoofs return addresses and encrypts memory to avoid detection.  

Malware utilizes the Windows Native API (NTAPI) functions from ntdll.dll to bypass detection of common user mode functions and dynamically resolves functions like EtwEventWrite and EtwEventRegister from ntdll.dll, potentially for anti-malware evasion. 

According to Rapid 7, strings for functions like WldpQueryDynamicCodeTrust and AmsiScanBuffer are found, indicating the malware might be trying to tamper with code trust or bypass AMSI scanning. 

It extracts an encrypted resource from python311.dll and decrypts it using an AES-256 key stored in plain text, where the decrypted resource is a zip archive containing a legitimate PuTTY installer and another archive. 

The malware impersonates a PuTTY installer by first copying a genuine MSI file to a public downloads folder, creating a believable installation process, and then extracting malicious files from a hidden ZIP archive and staging them in a concealed location. 

Finally, it executes a Python script (systemd.py) that decrypts and injects a malicious DLL, likely a Sliver beacon, leveraging techniques from publicly available code, presumably establishing a connection to a command and control server, enabling further malicious activity.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free