BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising

Posted On: July 12, 2023
Written By: Alex Babbage

Threat actors linked to the BlackCat ransomware have been seen using malvertising strategies to propagate malicious WinSCP installs. Threat actors are now creating fake domains to imitate legitimate businesses to further spread malicious software through a technique called malvertising. Trend Micro reported on this in an analysis that was released last week. In this instance, the distribution utilised a webpage for the popular open-source Windows file transfer programme WinSCP.

Modus Operandi

Malvertising is the practice of disseminating malware through internet advertising by using SEO (Search engine optimization) poisoning tactics. In order to drive unwary users to dubious domains, it often entails hijacking a selected set of keywords to show fake adverts on Bing and Google search results pages.

The goal is to exploit genuine tools like AdFind to aid network discovery while also tricking people looking for programmes like WinSCP into downloading malware, in this case, a backdoor which includes a Cobalt Strike Beacon that communicates to a server remotely for post attack operations.

The victim searches for "WinSCP Download" on Google or Bing and receives suggested harmful results listed above the secure WinSCP download sites. This is the start of the BlackCat attack. The targeted individuals click on the advertisements, which take them to a website with lessons on using WinSCP to conduct automatic file transfers.

These websites send users to a copy of the WinSCP official website with a download button, but they don't include any harmful content and are probably designed to avoid detection by Google's anti-abuse crawlers. These clones use domain names like “winsccp[.]com”, where at a first glance they look identical to the original winscp.net domain for the software.

Figure 1: Fake WinSCP download website (Trend Micro)

When the target hits the "Download" button, an ISO file containing "msi.dll" and "setup.exe" are downloaded, which serves as bait for the user to run the executable and the second file as a malware dropper.

The Trend Micro report states that after setup.exe has been run, it will make a call to msi.dll, which will then extract a Python folder from the DLL RCDATA area as a genuine installer for WinSCP to be installed on the computer. Additionally, this procedure downloads a malicious python310.dll and implements a persistence mechanism by setting the value of the run key "Python" to "C: UsersPublicMusicpythonpythonw.exe". The pythonw.exe malware then loads a modified, disguised version of python310.dll with a Cobalt Strike beacon that establishes a connection to a C&C server address.

The access provided by Cobalt Strike is also misused to download a number of programmes for reconnaissance, enumeration, lateral movement, bypassing antivirus protection, and exfiltrating consumer data, including PowerView, PsExec, and KillAV BAT. Another thing that has been noticed is the usage of the Terminator defensive evasion tool in BYOVD (Bring Your Own Vulnerable Driver) attacks to interfere with security software.

The adversaries look to establish persistence remotely via monitoring and management tools like AnyDesk in addition to accessing backup servers in the attack chain described by the cybersecurity business. They also succeeded in gaining upper-level admin rights to conduct post-exploitation operations.

Figure 2: Full attack chain (Trend Micro)

Why does this matter?

If intervention had been taken later, it is very likely that the enterprise would have been significantly impacted by the attack, especially since the threat actors had already been successful in gaining initial access to domain admin privileges and had begun setting up backdoors and persistence. Human error is a big factor in many cyber-attacks and if employees are not educated properly, any company can fall victim to a breach.

How to protect yourself

People need to be careful when downloading software, as in some cases it may look legitimate on the surface, but underneath it’s a malicious program disguised as legitimate software.

• Inform staff members regarding phishing. Hold training seminars to inform staff about phishing scams and how to spot and prevent them. Stress the necessity of avoiding shady websites and obtaining things from untrusted sources.

• Observe and record activity. Gather and evaluate logs from diverse network devices and systems, implement a centralised logging system. Check system logs, user activity, and network traffic for any odd or suspicious activity.

• Work with cybersecurity experts. Consider working with a respected cybersecurity company to help with IR (incident response), forensic investigation, and security enhancements if your organisation lacks the knowledge or resources to handle the fallout from a breach efficiently.

• Increase communication and incident response. Create an incident response strategy to direct your business's approach to such attacks in the future. Develop effective lines of communication to tell all relevant parties, such as staff members, clients, and regulatory agencies, about a breach and the actions being taken to remedy it.

• Define regular procedures for normal network traffic. Determining typical network activity will make it easier to spot aberrant activity, like unauthorised access.

Conclusion

Attackers have started using tactics that organisations do not expect and have gotten better at finding vulnerabilities that victims usually are unaware of in recent years. Early identification and reaction inside a company's network are crucial, in addition to ongoing efforts to thwart any unauthorised access. Remedial action must be taken right away because holding off might cause catastrophic damage.

Organisations can uncover vulnerabilities that could result in compromise and significant harm by thoroughly analysing attack scenarios and then taking the required precautions to guard against them.