BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.
"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer."
Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising. It typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages.
The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery.
The access afforded by Cobalt Strike is further abused to download a number of programs to conduct reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY Secure Copy client). Also observed is the use of the Terminator defense evasion tool to tamper with security software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.
In the attack chain detailed by the cybersecurity company, the threat actors managed to steal top-level administrator privileges to conduct post-exploitation activities as well as attempted to access backup servers and set up persistence using remote monitoring and management tools like AnyDesk.
"It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence," Trend Micro said.
The development is just the latest example of threat actors leveraging the Google Ads platform to serve malware. In November 2022, Microsoft disclosed an attack campaign that leverages the advertising service to deploy BATLOADER, which is then used to drop Royal ransomware.
It also comes as Czech cybersecurity company Avast released a free decryptor for the fledgling Akira ransomware to help victims recover their data without having to pay the operators. Akira, which first appeared in March 2023, has since expanded its target footprint to include Linux systems.
"Akira has a few similarities to the Conti v2 ransomware, which may indicate that the malware authors were at least inspired by the leaked Conti sources," Avast researchers said. The company did not disclose how it cracked the ransomware's encryption algorithm.
The Conti/TrickBot syndicate, aka Gold Ulrick or ITG23, shut down in May 2022 after suffering a series of disruptive events triggered by the onset of the Russian invasion of Ukraine. But the e-crime group continues to exist to this date, albeit as smaller entities and using shared crypters and infrastructure to distribute their warez.
IBM Security X-Force, in a recent deep dive, said the gang's crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are being used to also disseminate new malware strains such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, and Vidar.
"Previously, the crypters were used predominantly with the core malware families associated with ITG23 and their close partners," security researchers Charlotte Hammond and Ole Villadsen said. "However, the fracturing of ITG23 and emergence of new factions, relationships, and methods, have affected how the crypters are used."
Despite the dynamic nature of the cybercrime ecosystem, as nefarious cyber actors come and go, and some operations partner together, shut down, or rebrand their financially motivated schemes, ransomware has lingered as a constant threat.
This includes the emergence of a new ransomware-as-a-service (RaaS) group called Rhysida, which has primarily singled out education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia.
"Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC," SentinelOne said in a technical write-up. "In each sample analyzed, the application's program name is set to Rhysida-0.1, suggesting the tool is in early stages of development."