IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. 

The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past

Appearance of the cloned WinSCP website.

The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

Clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attackers also hosted a seemingly legitimate PuTTY help article page on the same domain (putty.org), likely to deflect suspicion.  

Landing page for the malicious ad.

The attacker distributes a malicious archive named “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).

Once executed, setup.exe side-loads a malicious DLL (python311.dll) that further loads a legitimate DLL (python3.dll) to act as a proxy for its malicious functionality. 

It hides the malware’s activity, improves its stability, and then utilizes techniques from the AntiHook and KrakenMask libraries for further evasion, where AntiHook allows the malware to identify and bypass hooks placed by security software, while KrakenMask spoofs return addresses and encrypts memory to avoid detection.  

The extracted contents of putty-0.80-installer.zip.

Malware utilizes the Windows Native API (NTAPI) functions from ntdll.dll to bypass detection of common user mode functions and dynamically resolves functions like EtwEventWrite and EtwEventRegister from ntdll.dll, potentially for anti-malware evasion. 

According to Rapid 7, strings for functions like WldpQueryDynamicCodeTrust and AmsiScanBuffer are found, indicating the malware might be trying to tamper with code trust or bypass AMSI scanning. 

The encrypted resource is loaded into memory and decrypted using AES-256.

It extracts an encrypted resource from python311.dll and decrypts it using an AES-256 key stored in plain text, where the decrypted resource is a zip archive containing a legitimate PuTTY installer and another archive. 

Decrypted and decompressed contents of the resource.

The malware impersonates a PuTTY installer by first copying a genuine MSI file to a public downloads folder, creating a believable installation process, and then extracting malicious files from a hidden ZIP archive and staging them in a concealed location. 

Finally, it executes a Python script (systemd.py) that decrypts and injects a malicious DLL, likely a Sliver beacon, leveraging techniques from publicly available code, presumably establishing a connection to a command and control server, enabling further malicious activity.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

11 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

11 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

14 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

17 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

18 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

18 hours ago