A man crouching on the floor surrounded by a sea of advertisements.

BlackCat’s WinSCP Ads Use Bing And Google To Spread Cobalt Strike Ransomware

The BlackCat ransomware (ALPHV) developed a fraudulent malvertising campaign to promote Cobalt Strike. They tricked people into visiting fake WinSCP websites by carefully positioning advertisements. Unfortunately, some users accidentally downloaded a malicious malware payload rather than the official programme.
In a report released by Trend micro, researchers said:

Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.

The term “malvertising” is used to define the use of deceptive SEO techniques to spread malware via online adverts. This tactic’s goal is to trick users into visiting suspicious websites.

WinSCP is a free and open-source SFTP, FTP, S3, and SCP client that is well-known for its secure file transfer capabilities through SSH. With over 400,000 downloads each week on SourceForge alone, the programme is very well-liked and includes a useful file management system.

The BlackCat group is cleverly using the software as bait with the goal of infecting the systems of IT specialists, system administrators, and web admins.

WinSCP to CobaltStrike Transition in the BlackCat’s Campaign

Trend Micro believes that the BlackCat attack begins when an unwary victim searches for “WinSCP Download” on Bing or Google. Worryingly, the search results display plenty of promoted malware URLs that are cleverly listed higher than the official WinSCP download sites.

Deceptive advertisements lure victims to visit tutorial websites for WinSCP automatic transfers that appear to be completely safe. These websites deceptively link viewers to a fake WinSCP website with similar domain names like winsccp[.]com, luring consumers in with a download button. These sites are probably created to avoid Google’s anti-abuse crawlers.

Malicious site for downloading modified WinSCP
Malicious site for downloading modified WinSCP (Trend Micro)

Twitter user “rerednawyerg” was the one who initially discovered this similar virus sequence disguising itself as the AnyDesk programme. When the user mounts the ISO, a series of events takes place, disclosing the setup.exe and msi.dll files that comprise the file system.

ISO Mounting Files
ISO Mounting Files (Trend Micro)

The setup.exe executes msi.dll, which then extracts a Python folder from the DLL RCDATA area, acting as the official WinSCP installer on the system, upon execution. In its last steps, the DLL creates a run key named “Python” with a value pointing to C:UsersPublicMusicpythonpythonw.exe in order to create an archive system.

Registry-based Python Run Key Persistence by blackcat
Registry-based Python Run Key Persistence (Trend Micro)

The pythonw.exe programme continues by loading a modified, hidden copy of python310.dll. This specific DLL carries a Cobalt Strike alert that connects to the command-and-control server address.

A Comprehensive Attacker’s Toolkit

The system breach gets worse when Cobalt Strike runs on it because it makes it easier to start additional scripts, secure tools for lateral movement, and generally do more damage. The “Terminator,” a SpyBoy tool that disables EDR and antivirus capabilities, was used in this case by ALPHV. Threat actors are marketing the sale of “Terminator” on the Dark Web for up to $3,000 in price.

  • PowerView: A PowerSploit script that performs reconnaissance and enumeration within Active Directory.
  • AdFind: A command-line utility for extracting information from Active Directory (AD).
  • PowerShell commands: Used for operations such as gathering user data, extracting ZIP files, and running programmes.
  • AccessChk64: A command-line programme for determining user and group permissions.
  • Findstr: This command-line tool is frequently used to find passwords in XML files.
  • Python scripts: used to launch the LaZagne password recovery tool to protect Veeam credentials.
  • PsExec, BitsAdmin, and Curl: Used to allow for lateral mobility within a system.
  • AnyDesk: This genuine remote management tool has been compromised with in order to maintain persistence.
  • KillAV BAT script: This bypasses antivirus and antimalware software for uninterrupted operations.
  • PuTTY: This client is used for the exfiltration of information.

Trend Micro has discovered links between the above TTPs (tactics, methods, and procedures) and proven ALPHV ransomware attacks. During the analysis, they found a Clop ransomware file stored inside one of the C2 domains they had previously examined. The threat actor may be involved in several separate ransomware activities, according to this analysis.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts