Blackcat Ransomware Pushes Cobalt Strike via WinSCP Search Ads
Cyber Security Threat Summary:
The ALPHV ransomware group, also known as the BlackCat, is engaging in malvertising activities to trick individuals into visiting counterfeit websites that closely resemble the legitimate WinSCP file-transfer application for Windows. However, these deceptive pages distribute installers infected with malicious software. WinSCP, a widely-used application for secure file transfer on Windows, is an open-source client and file manager supporting SFTP, FTP, S3, and SCP protocols. It boasts a significant user base, with approximately 400,000 weekly downloads from SourceForge alone. The BlackCat group is leveraging the WinSCP program as bait to potentially infiltrate the computers of system administrators, web administrators, and IT professionals, aiming to gain initial entry into valuable corporate networks. Trend Micro analysts recently uncovered this previously unidentified method of ALPHV ransomware infection. They detected advertising campaigns on Google and Bing search pages, promoting the counterfeit pages designed to deceive users.
“The BlackCat attack observed by Trend Micro begins with the victim searching for "WinSCP Download" on Bing or Google and getting promoted malicious results ranked above the safe WinSCP download sites. The victims click on those ads and visit a website that hosts tutorials about performing automated file transfers using WinSCP. These sites contain nothing malicious, likely to evade detection by Google's anti-abuse crawlers but redirect the visitors to a clone of the WinSCP official website featuring a download button. These clones utilize domain names similar to the real winscp[.]net domain for the utility, such as winsccp[.]com. The victim clicks the button and receives an ISO file containing "setup[.]exe" and "msi[.]dll," the first being the lure for the user to launch and the second being the malware dropper triggered by the executable. "Once setup[.]exe is executed, it will call the msi[.]dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine," explains the Trend Micro report. This process also installs a trojanized python310[.]dll and creates a persistence mechanism by making a run key named "Python" and the value "C:\Users\Public\Music\python\pythonw[.]exe". The executable pythonw[.]exe loads a modified obfuscated python310[.]dll that contains a Cobalt Strike beacon that connects to a command-and-control server address” (BleepingComputer, 2023).
Security Officer Comments:
According to recent findings from CrowdStrike, it has been verified that a malware named "Terminator" possesses the ability to evade multiple Windows security tools. It achieves this by employing a "bring your own vulnerable driver" (BYOVD) technique to elevate privileges on the system and disable the security tools.
Trend Micro has established a connection between the mentioned tactics, techniques, and procedures (TTPs), and confirmed cases of ALPHV ransomware infections. Additionally, during the investigation of command-and-control (C2) domains, Trend Micro discovered a Clop ransomware file, indicating that the threat actor may have affiliations with multiple ransomware operations.
Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.bleepingcomputer.com/