Ransomware group BlackCat have been running campaigns to lure users into clicking on fake pages that mimic the real WinSCP file-transfer application for Windows but instead push malware-ridden installers.
WinSCP (Windows Secure Copy) is a free, widely used and open-source SFT, FTP, S3, SCP client and file manager with SSH file transfer capabilities with 400,000 downloads weekly.
BlackCat strategically employs the program as a bait to potentially infect the computers of system administrators, web admins, and IT professionals, gaining initial access to valuable corporate networks.
Analysts recently uncovered an undisclosed infection vector for the ALPHV ransomware. They detected ad campaigns on both Google and Bing search pages, which were promoting fraudulent pages associated with the ransomware.
Transitioning from WinSCP to CobaltStrike
It’s been observed that BlackCat attack initiates when the targeted individual searches for "WinSCP Download" on Bing or Google, encountering manipulated search results that prioritise malicious options over legitimate WinSCP download sites.
Once lured by these deceptive advertisements, victims navigate to a website offering tutorials on automated file transfers utilising WinSCP.
These websites are devoid of any malicious content, strategically designed to elude detection by Google's anti-abuse crawlers. However, their true intention is to redirect visitors to a counterfeit version of the official WinSCP website, complete with a deceptive download button. These clones cleverly employ domain names resembling the authentic winscp.net domain, such as winsccp[.]com.
Upon clicking the button, the victim is presented with an ISO file containing two files: "setup.exe" and "msi.dll." The purpose of "setup.exe" is to entice the user to launch it, while "msi.dll" serves as a malware dropper activated by the executable.
According to the Trend Micro report, once "setup.exe" is executed, it invokes "msi.dll," which subsequently extracts a Python folder from the DLL RCDATA section, masquerading as a legitimate WinSCP installer for installation on the compromised machine.
This process also entails the installation of a trojanised "python310.dll" and establishes a persistence mechanism by creating a run key named "Python" with the value "C:\Users\Public\Music\python\pythonw.exe".
The executable "pythonw.exe" loads a modified and obfuscated "python310.dll," which harbours a Cobalt Strike beacon. This beacon establishes a connection with a command-and-control server address.
Additional tools employed by ALPHV
With Cobalt Strike operational on the system, executing supplementary scripts, retrieving tools for lateral movement, and further intensifying the compromise becomes effortless.
Trend Micro's analysts noticed that ALPHV operators used the following tools in the subsequent phases:
AdFind: command-line tool used for retrieving Active Directory (AD) information.
PowerShell commands used for gathering user data, extracting ZIP files, and executing scripts.
AccessChk64: command-line tool used for user and groups permission reconnaissance.
Findstr: command-line tool used for searching passwords within XML files.
PowerView: PowerSploit script used in AD reconnaissance and enumeration.
Python scripts used for executing the LaZagne password recovery tool and obtaining Veeam credentials.
PsExec, BitsAdmin, and Curl, used for lateral movement
AnyDesk: legitimate remote management tool abused for maintaining persistence
KillAV BAT script used for disabling or bypassing antivirus and antimalware programs.
PuTTY Secure Copy client used for exfiltrating the collected information from the breached system.
Along with the above tools, ALPHV also used the SpyBoy "Terminator," an EDR and antivirus disabler sold by threat actors on Russian-speaking hacking forums for as much as $3,000.
Recent research by CrowdStrike confirmed that "Terminator" can bypass several Windows security tools by using a "bring your own vulnerable driver" (BYOVD) mechanism to escalate privileges on the system and deactivate them.
Trend Micro says it has linked the above TTPs to confirmed ALPHV ransomware infections. It also found a Clop ransomware file in one of the investigated C2 domains, so the threat actor may be affiliated with multiple ransomware operations.
In Conclusion
In conclusion, the utilisation of Cobalt Strike in conjunction with additional scripts and tools enables a malicious actor to facilitate lateral movement and escalate the compromise of a targeted system. This underscores the critical need for proactive measures and expert assistance from a cybersecurity company.
A cybersecurity company can play a crucial role in combating threats like the one mentioned above. By leveraging their expertise, they can help organisations bolster their defences, detect, and mitigate such attacks, and implement robust security measures. This may involve conducting thorough system audits, implementing advanced threat detection technologies, providing employee training on recognising and mitigating phishing attempts, and developing incident response plans to effectively address security incidents. Through proactive monitoring, analysis, and swift incident response, a cybersecurity company can help organisations protect their valuable assets and stay one step ahead of sophisticated threats.
Threat intelligence is a prime example of a method that can help to stay on top of threats like these. It allows cyber security companies to gather and analyse emerging threats, including the tactics, techniques and procedures employed by threat actors like those such as BlackCat.
