The cybersecurity researchers at Trend Micro have recently revealed that the Blackcat Ransomware, also known as ALPHV, is using malvertising techniques to distribute fake WinSCP installers through the Targeted Attack Detection (TAD) service. In these malicious advertising campaigns, the threat actors are tricking their victims by creating cloned web pages of legitimate organizations.
This is a significant concern because threat actors are taking advantage of Google Ads, a platform designed to target audiences with personalized ads and drive traffic for businesses. However, instead of promoting legitimate products or services, these malicious actors are using the platform to launch malvertising campaigns that exploit keyword hijacking. By doing so, they are able to ensnare unsuspecting users who are searching for specific keywords with malicious ads that distribute malware stealthily.
The infection chain of the Blackcat Ransomware begins when a user searches for “WinSCP Download” on Bing. At the top of the search results, they encounter a deceptive ad promoting the application. When the user clicks on the ad, they are redirected to a suspicious website that features a tutorial on automated file transfers using WinSCP.
Once the user lands on the initial page, they are sent to a cloned WinSCP download site. Clicking on the “Download” button initiates an ISO file download from an infected WordPress page. Initially, the final payload URL was located on the file-sharing service 4shared, but it was later switched by the malicious actor.
When the victim opens the downloaded ISO file, they find two files: “setup.exe” and “msi.dll.” The former encourages the user to open it, while the latter acts as the triggered malware dropper. Upon executing “setup.exe,” it triggers “msi.dll,” which extracts a Python folder from the DLL RCDATA section, also functioning as the genuine WinSCP installer for installation.
The process also includes the installation of a trojanized python310.dll file, along with the establishment of persistence through a run key named “Python.” This run key has a specific value that points to the location of the pythonw.exe file. This modified and obfuscated python310.dll file loads successfully and includes a Cobalt Strike beacon, which establishes a connection to a Command and Control (C2) server. With Cobalt Strike operational, the threat actors are able to execute scripts, retrieve tools for lateral movement, and intensify the overall compromise.
The Blackcat Ransomware actors employ a range of tools to achieve their malicious goals. These include Curl, PsExec, PowerShell commands, PowerView, BitsAdmin, AdFind, AccessChk64, Findstr, PuTTY Secure Copy, AnyDesk, Python scripts, and the KillAV BAT tool. Additionally, they also use a tool called SpyBoy “Terminator” to disable Endpoint Detection and Response (EDR) and antivirus solutions.
To protect against such threats, the researchers at Trend Micro offer several recommendations. These include educating employees about phishing attacks, maintaining detailed logs of activities, setting specific criteria to determine regular network traffic, enhancing incident response procedures, improving communication efforts, and collaborating with experienced cybersecurity professionals.
In conclusion, the Blackcat Ransomware actors are using malvertising techniques to distribute fake WinSCP installers. By leveraging the Targeted Attack Detection (TAD) service and cloned web pages of legitimate organizations, they are able to trick users into downloading and executing malware. It is crucial for organizations and individuals to remain vigilant, educate themselves about such threats, and implement robust cybersecurity measures to protect against these attacks.