BlackCat ransomware pushes Cobalt Strike via WinSCP search ads

The BlackCat ransomware group (aka ALPHV) is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.

WinSCP (Windows Secure Copy) is a popular free and open-source SFTP, FTP, S3, SCP client, and file manager with SSH file transfer capabilities with 400,000 weekly downloads on SourceForge alone.

BlackCat is using the program as a lure to potentially infect the computers of system administrators, web admins, and IT professionals for initial access to valuable corporate networks.

This previously unknown ALPHV ransomware infection vector was discovered by analysts at Trend Micro, who spotted ad campaigns promoting the fake pages on both Google and Bing search pages.

From WinSCP to CobaltStrike

The BlackCat attack observed by Trend Micro begins with the victim searching for “WinSCP Download” on Bing or Google and getting promoted malicious results ranked above the safe WinSCP download sites.

The victims click on those ads and visit a website that hosts tutorials about performing automated file transfers using WinSCP.

Website promoted via malvertising
Source: Trend Micro

These sites contain nothing malicious, likely to evade detection by Google’s anti-abuse crawlers but redirect the visitors to a clone of the WinSCP official website featuring a download button. These clones utilize domain names similar to the real domain for the utility, such as winsccp[.]com.

Clone WinSCP download site
Source: Trend Micro

The victim clicks the button and receives an ISO file containing “setup.exe” and “msi.dll,” the first being the lure for the user to launch and the second being the malware dropper triggered by the executable.

“Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine,” explains the Trend Micro report.

This process also installs a trojanized python310.dll and creates a persistence mechanism by making a run key named “Python” and the value “C:\Users\Public\Music\python\pythonw.exe”.

Registry manipulation to establish persistence
Source: Trend Micro

The executable pythonw.exe loads a modified obfuscated python310.dll that contains a Cobalt Strike beacon that connects to a command-and-control server address.

Complete attack chain
Source: Trend Micro

Other tools used by ALPHV

Having Cobalt Strike running on the system, it is easy to execute additional scripts, fetch tools for lateral movement, and generally deepen the compromise.

Trend Micro’s analysts noticed that ALPHV operators used the following tools in the subsequent phases:

  • AdFind: command-line tool used for retrieving Active Directory (AD) information.
  • PowerShell commands used for gathering user data, extracting ZIP files, and executing scripts.
  • AccessChk64: command-line tool used for user and groups permission reconnaissance.
  • Findstr: command-line tool used for searching passwords within XML files.
  • PowerView: PowerSploit script used in AD reconnaissance and enumeration.
  • Python scripts used for executing the LaZagne password recovery tool and obtaining Veeam credentials.
  • PsExec, BitsAdmin, and Curl, used for lateral movement
  • AnyDesk: legitimate remote management tool abused for maintaining persistence
  • KillAV BAT script used for disabling or bypassing antivirus and antimalware programs.
  • PuTTY Secure Copy client used for exfiltrating the collected information from the breached system.

Along with the above tools, ALPHV also used the SpyBoy “Terminator,” an EDR and antivirus disabler sold by threat actors on Russian-speaking hacking forums for as much as $3,000.

Recent research by CrowdStrike confirmed that “Terminator” is capable of bypassing several Windows security tools by using a “bring your own vulnerable driver” (BYOVD) mechanism to escalate privileges on the system and deactivate them.

Trend Micro says it has linked the above TTPs to confirmed ALPHV ransomware infections. It also found a Clop ransomware file in one of the investigated C2 domains, so the threat actor may be affiliated with multiple ransomware operations.

Leave a Comment

Your email address will not be published. Required fields are marked *