Ransomware Group Targets Windows Admins with Fake PuTTY and WinSCP Ads

A ransomware gang is targeting Windows system administrators by using Google ads to promote fake download sites for PuTTY and WinSCP. PuTTY and WinSCP are widely-used Windows utilities, with WinSCP serving as an SFTP and FTP client, and PuTTY as an SSH client.

System administrators typically have higher privileges on a Windows network, making them attractive targets for cybercriminals aiming to infiltrate a network, steal data, and access domain controllers to deploy ransomware.

According to a recent report, a search engine campaign displayed ads for counterfeit PuTTY and WinSCP sites when users searched for “download winscp” or “download putty.” It’s unclear if this campaign was conducted on Google, Bing, or both. These ads used typosquatting domain names like puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net.

While these sites mimicked the legitimate WinSCP site (winscp.net), they falsely represented PuTTY using an unaffiliated site (putty.org), which many believe to be authentic.

These fake sites provided download links that either redirected users to legitimate sites or downloaded a ZIP archive from the attackers’ servers, depending on whether the user was referred by a search engine or another campaign site.

The ZIP archives included a Setup.exe executable, a legitimate Python for Windows executable (pythonw.exe), and a malicious python311.dll file. When the pythonw.exe executable is launched, it attempts to load a legitimate python311.dll file. However, the attackers replaced this DLL with a malicious version, which is loaded via DLL Sideloading.

When a user runs Setup.exe, thinking it’s installing PuTTY or WinSCP, it loads the malicious DLL, which extracts and executes an encrypted Python script. This script ultimately installs the Sliver post-exploitation toolkit, a popular tool for gaining initial access to corporate networks.

The threat actor used Sliver to remotely drop additional payloads, including Cobalt Strike beacons. The attacker used this access to exfiltrate data and attempt to deploy a ransomware encryptor. The campaign is similar to those seen by Malwarebytes and Trend Micro, which involved the now-defunct BlackCat/ALPHV ransomware.

The threat actor attempting to exfiltrate data using the backup utility Restic, and then deploying ransomware, an attempt which was ultimately blocked during execution.

Over the past few years, search engine advertisements have become a significant problem, with numerous threat actors using them to distribute malware and phishing sites.

These ads targeted popular programs like KeePass, CPU-Z, Notepad++, Grammarly, MSI Afterburner, Slack, Dashlane, 7-Zip, CCleaner, VLC, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, LibreOffice, TeamViewer, Thunderbird, and Brave.

More recently, a threat actor used Google ads with the legitimate URL for the crypto trading platform Whales Market. However, the ad led to a phishing site containing a cryptodrainer to steal visitors’ cryptocurrency.

To prevent falling victim to this type of ransomware attack, system administrators should ensure they only download software from verified and official websites. Employing robust ad-blocking solutions can reduce exposure to malicious ads. Regularly updating antivirus and anti-malware tools, coupled with comprehensive security training for staff, can further mitigate risks.