The BlackCat ransomware group (also known as ALPHV) is running malvertizing efforts to draw individuals into counterfeit pages that impersonate the authority site of the WinSCP document move application for Windows however rather push malware-ridden installers.
WinSCP (Windows Secure Duplicate) is a famous free and open-source SFTP, FTP, S3, SCP client, and document chief with SSH record move capacities with 400,000 week by week downloads on SourceForge alone.
BlackCat is involving the program as a bait to possibly taint the PCs of framework executives, web administrators, and IT experts for introductory admittance to important corporate organizations.
Analysts at Trend Micro discovered this previously unknown ALPHV ransomware infection vector when they noticed advertising campaigns promoting the fake pages on both Google and Bing search pages.
From WinSCP to CobaltStrike
Trend Micro found that the BlackCat attack starts when a victim searches for “WinSCP Download” on Bing or Google and sees malicious results ranked higher than safe WinSCP download sites.
When the victims click on those ads, they are taken to a website with tutorials on how to automate file transfers with WinSCP.
These locales contain nothing noxious, liable to dodge identification by Google’s enemy of misuse crawlers however divert the guests to a clone of the WinSCP official site including a download button. For their utility, these clones use domain names like winsccp[.]com, which are similar to the genuine winscp.net domain.
The casualty taps the button and gets an ISO document containing “setup.exe” and “msi.dll,” the first being the draw for the client to send off and the second being the malware dropper set off by the executable.
The Trend Micro report provides this explanation: “Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine.”
Additionally, this process creates a persistence mechanism by creating a run key with the value “C:UsersPublicMusicpythonpythonw.exe” and installing a trojanized version of Python310.dll.
A modified obfuscated python310.dll loaded by the executable pythonw.exe contains a Cobalt Strike beacon that communicates with a command-and-control server address.
Other tools used by ALPHV
Having Cobalt Strike running on the system, it is easy to execute additional scripts, fetch tools for lateral movement, and generally deepen the compromise.
Trend Micro’s analysts noticed that ALPHV operators used the following tools in the subsequent phases:
- AdFind: command-line tool used for retrieving Active Directory (AD) information.
- PowerShell commands used for gathering user data, extracting ZIP files, and executing scripts.
- AccessChk64: command-line tool used for user and groups permission reconnaissance.
- Findstr: command-line tool used for searching passwords within XML files.
- PowerView: PowerSploit script used in AD reconnaissance and enumeration.
- Python scripts used for executing the LaZagne password recovery tool and obtaining Veeam credentials.
- PsExec, BitsAdmin, and Curl, used for lateral movement
- AnyDesk: legitimate remote management tool abused for maintaining persistence
- KillAV BAT script used for disabling or bypassing antivirus and antimalware programs.
- PuTTY Secure Copy client used for exfiltrating the collected information from the breached system.
Along with the above tools, ALPHV also used the SpyBoy “Terminator,” an EDR and antivirus disabler sold by threat actors on Russian-speaking hacking forums for as much as $3,000.
Recent research by CrowdStrike confirmed that “Terminator” is capable of bypassing several Windows security tools by using a “bring your own vulnerable driver” (BYOVD) mechanism to escalate privileges on the system and deactivate them.
Trend Micro says it has linked the above TTPs to confirmed ALPHV ransomware infections. It also found a Clop ransomware file in one of the investigated C2 domains, so the threat actor may be affiliated with multiple ransomware operations.