Tuesday, October 15, 2024
Homecyber securityIT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

Published on

Malware protection

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. 

The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past

Appearance of the cloned WinSCP website.

The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

- Advertisement - SIEM as a Service

Clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attackers also hosted a seemingly legitimate PuTTY help article page on the same domain (putty.org), likely to deflect suspicion.  

Landing page for the malicious ad.

The attacker distributes a malicious archive named “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).

Once executed, setup.exe side-loads a malicious DLL (python311.dll) that further loads a legitimate DLL (python3.dll) to act as a proxy for its malicious functionality. 

It hides the malware’s activity, improves its stability, and then utilizes techniques from the AntiHook and KrakenMask libraries for further evasion, where AntiHook allows the malware to identify and bypass hooks placed by security software, while KrakenMask spoofs return addresses and encrypts memory to avoid detection.  

The extracted contents of putty-0.80-installer.zip.

Malware utilizes the Windows Native API (NTAPI) functions from ntdll.dll to bypass detection of common user mode functions and dynamically resolves functions like EtwEventWrite and EtwEventRegister from ntdll.dll, potentially for anti-malware evasion. 

According to Rapid 7, strings for functions like WldpQueryDynamicCodeTrust and AmsiScanBuffer are found, indicating the malware might be trying to tamper with code trust or bypass AMSI scanning. 

The encrypted resource is loaded into memory and decrypted using AES-256.

It extracts an encrypted resource from python311.dll and decrypts it using an AES-256 key stored in plain text, where the decrypted resource is a zip archive containing a legitimate PuTTY installer and another archive. 

Decrypted and decompressed contents of the resource.

The malware impersonates a PuTTY installer by first copying a genuine MSI file to a public downloads folder, creating a believable installation process, and then extracting malicious files from a hidden ZIP archive and staging them in a concealed location. 

Finally, it executes a Python script (systemd.py) that decrypts and injects a malicious DLL, likely a Sliver beacon, leveraging techniques from publicly available code, presumably establishing a connection to a command and control server, enabling further malicious activity.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...