In a recent analysis, researchers from Trend Micro have uncovered the use of malvertising by threat actors associated with the BlackCat ransomware. These malicious actors are employing deceptive techniques to distribute rogue installers of the popular WinSCP file transfer application.
BlackCat Ransomware Malvertising Technique
Malvertising involves utilizing SEO poisoning methods to spread malware through online advertising. In this case, the attackers clone webpages of legitimate organizations and manipulate specific keywords (such as “WinSCP Download”) to display false ads on search engine results pages. This tactic aims to redirect unsuspecting users towards dubious websites.
Exploiting Trust in WinSCP
The primary goal of this campaign is to deceive users searching for applications like WinSCP into downloading malware disguised as legitimate software. Specifically, the attackers deploy a backdoor containing a Cobalt Strike Beacon that establishes communication with a remote server for subsequent operations. To facilitate network discovery, they also employ genuine tools like AdFind.
A Multi-Stage Attack Chain
Once inside the target system, Cobalt Strike provides unauthorized access which is then exploited by the threat actors. They proceed by downloading various programs for reconnaissance, enumeration (PowerView), lateral movement (PsExec), antivirus evasion (KillAV BAT), and exfiltration of sensitive data (PuTTY Secure Copy client). Additionally, an advanced defense evasion tool called Terminator is used to tamper with security software using Bring Your Own Vulnerable Driver (BYOVD) attacks.
Escalating Privileges and Establishing Persistence
As part of their attack chain, these cybercriminals aim at gaining top-level administrator privileges within targeted networks. With such privileges obtained during post-exploitation activities, they attempt persistence through remote monitoring and management tools like AnyDesk while accessing backup servers if available.
Potential Impact and Mitigation Measures
Trend Micro warns that if intervention had not occurred in a timely manner, the enterprise targeted by these threat actors would have suffered significant consequences. The initial access to domain administrator privileges and the establishment of backdoors and persistence mechanisms presented a severe risk. It emphasizes the importance of proactive security measures to counter such attacks effectively.
BlackCat Ransomware Distribution Using Google Ads
The exploitation of advertising platforms for spreading malware is an ongoing trend among threat actors. In November 2022, Microsoft disclosed an attack campaign utilizing Google Ads to deploy BATLOADER, which subsequently dropped Royal ransomware. This demonstrates how cybercriminals continue to exploit popular services for their malicious activities.
Avast Decryptor for Akira Ransomware
In other cybersecurity news, Czech company Avast recently released a decryptor tool free-of-charge for victims affected by the Akira ransomware. Initially appearing in March 2023, this ransomware variant has since expanded its target range to include Linux systems as well. While similarities with Conti v2 exist, details regarding how Avast managed to crack Akira’s encryption algorithm remain undisclosed.
Evolution Within E-Crime Groups
Although major e-crime groups like Conti/TrickBot (also known as Gold Ulrick or ITG23) experienced disruptions due to external events, they continue operating in smaller entities and employing shared crypters and infrastructure for distributing malware strains such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, and Vidar. IBM Security X-Force researchers highlighted the evolving nature of these crypters—applications designed to encrypt and obfuscate malware—to evade antivirus scanners and hinder analysis.
The Persistent Threat Landscape
Despite changes within the cybercrime ecosystem involving partnerships or shutdowns/rebranding attempts by financially-motivated schemes from time-to-time, ransomware remains a constant threat. The emergence of Rhysida, a new ransomware-as-a-service (RaaS) group, further exemplifies this reality. Rhysida has primarily targeted the education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia.
The use of malvertising by BlackCat Ransomware operators to distribute WinSCP-disguised ransomware highlights the ever-evolving tactics employed by cybercriminals. This incident serves as a reminder for individuals and organizations to remain vigilant against such threats and adopt robust security measures to protect their systems from malicious actors.
Learn here more about Cybersecurity and Privacy.