IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. 

The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past

Appearance of the cloned WinSCP website.

The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

Clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attackers also hosted a seemingly legitimate PuTTY help article page on the same domain (putty.org), likely to deflect suspicion.  

Landing page for the malicious ad.

The attacker distributes a malicious archive named “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).

Once executed, setup.exe side-loads a malicious DLL (python311.dll) that further loads a legitimate DLL (python3.dll) to act as a proxy for its malicious functionality. 

It hides the malware’s activity, improves its stability, and then utilizes techniques from the AntiHook and KrakenMask libraries for further evasion, where AntiHook allows the malware to identify and bypass hooks placed by security software, while KrakenMask spoofs return addresses and encrypts memory to avoid detection.  

The extracted contents of putty-0.80-installer.zip.

Malware utilizes the Windows Native API (NTAPI) functions from ntdll.dll to bypass detection of common user mode functions and dynamically resolves functions like EtwEventWrite and EtwEventRegister from ntdll.dll, potentially for anti-malware evasion. 

According to Rapid 7, strings for functions like WldpQueryDynamicCodeTrust and AmsiScanBuffer are found, indicating the malware might be trying to tamper with code trust or bypass AMSI scanning. 

The encrypted resource is loaded into memory and decrypted using AES-256.

It extracts an encrypted resource from python311.dll and decrypts it using an AES-256 key stored in plain text, where the decrypted resource is a zip archive containing a legitimate PuTTY installer and another archive. 

Decrypted and decompressed contents of the resource.

The malware impersonates a PuTTY installer by first copying a genuine MSI file to a public downloads folder, creating a believable installation process, and then extracting malicious files from a hidden ZIP archive and staging them in a concealed location. 

Finally, it executes a Python script (systemd.py) that decrypts and injects a malicious DLL, likely a Sliver beacon, leveraging techniques from publicly available code, presumably establishing a connection to a command and control server, enabling further malicious activity.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

13 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

14 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

15 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

17 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

18 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

19 hours ago