A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. WinSCP and Putty are popular Windows utilities, with WinSCP being an SFTP client and FTP client and Putty an SSH client.
System administrators commonly have higher privileges on a Windows network, making them valuable targets for threat actors who want to quickly spread through a network, steal data, and gain access to a network's domain controller to deploy ransomware.
A recent report by Rapid7 says that a search engine campaign displayed ads for fake Putty and WinSCP sites when searching for download winscp or download putty.
While these sites impersonated the legitimate site for WinSCP, the threat actors imitated an unaffiliated site for PuTTY, which many people believe is the real site.
The official site for PuTTY is actually https://www.
These sites include download links that, when clicked, will either redirect you to legitimate sites or download a ZIP archive from the threat actor's servers based on whether you were referred by a search engine or another site in the campaign.
Exe executable, which is a renamed and legitimate executable for Python for Windows , and a malicious python311.
Exe executable is launched, it will attempt to launch a legitimate python311.
The threat actors replaced this DLL with a malicious version loaded instead using DLL Sideloading.
Exe, thinking it's installing PuTTY or WinSCP, it loads the malicious DLL, which extracts and executes an encrypted Python script.
Rapid7 says the threat actor used Sliver to remotely drop further payloads, including Cobalt Strike beacons.
The hacker used this access to exfiltrate data and attempt to deploy a ransomware encryptor.
While Rapid7 shared limited details about the ransomware, the researchers say the campaign is similar to those seen by Malwarebytes and Trend Micro, which deployed the now-shutdown BlackCat/ALPHV ransomware.
Search engine advertisements have become a massive problem over the past couple of years, with numerous threat actors utilizing them to push malware and phishing sites.
More recently, a threat actor took out Google ads that included the legitimate URL for the crypto trading platform Whales Market.
The ad led to a phishing site containing a cryptodrainer to steal visitors' cryptocurrency.
MediSecure e-script firm hit by 'large-scale' ransomware data breach.
Botnet sent millions of emails in LockBit Black ransomware campaign.
INC ransomware source code selling on hacking forums for $300,000.
Windows Quick Assist abused in Black Basta ransomware attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 18 May 2024 18:25:09 +0000