In early March 2024, attackers initiated a malicious campaign by distributing trojanized installers for WinSCP and PuTTY. Users searching for these software tools were inadvertently directed to download links that contained a renamed pythonw.exe file, which further loaded a malicious DLL onto their systems.
The malicious DLL employed a reflective DLL injection technique to inject a Sliver beacon. This allowed the attackers to establish persistence on the compromised systems, download additional payloads, attempt data theft, and potentially deploy ransomware. The tactics, techniques, and procedures (TTPs) observed in this attack bore similarities to those previously associated with the BlackCat/ALPHV threat actors.
One of the main tactics employed by the attackers was the redirection of users searching for PuTTY to a typo-squatted domain, putty.org, where they were prompted to download a malware-laced ZIP archive masquerading as a legitimate PuTTY installer. The compromised WordPress domain, areauni.com, hosted this malicious download link.
To mask their activities and divert suspicion, the attackers also set up a seemingly genuine PuTTY help article page on putty.org. Moreover, they distributed a malicious archive under the name “putty-0.80-installer.zip,” containing a camouflaged copy of pythonw.exe (renamed as setup.exe).
Upon execution of setup.exe, a malicious DLL named python311.dll was side-loaded, which in turn loaded a legitimate DLL, python3.dll, to function as a proxy for the malicious operations. By employing techniques from the AntiHook and KrakenMask libraries, the malware evaded detection, allowed it to bypass security software hooks, and encrypted memory to prevent discovery.
The attackers leveraged Windows Native API (NTAPI) functions from ntdll.dll to circumvent typical user mode function detection. They dynamically resolved functions such as EtwEventWrite and EtwEventRegister from ntdll.dll, indicating potential attempts to evade anti-malware procedures like code trust tampering or bypassing AMSI scanning.
By decrypting an AES-256 encrypted resource extracted from python311.dll, the attackers revealed a zip archive containing a genuine PuTTY installer alongside another archive. The malware then disguised itself as the PuTTY installer, copying a legitimate MSI file to a public downloads folder, executing a believable installation process, and extracting malicious files from a hidden ZIP archive to conceal their presence.
To finalize their attack, a Python script (systemd.py) was executed to decrypt and inject a malicious DLL, likely a Sliver beacon similar to publicly available code, enabling communication with a command and control server for further malicious operations.
This sophisticated attack highlights the evolving strategies employed by threat actors to disguise their malicious activities and evade detection. Organizations and users are urged to exercise caution when downloading software from unfamiliar sources and to ensure the integrity of their systems by implementing robust security measures.