BlackCat Ransomware Group Imitates WinSCP for Windows App Site to Distribute Malware
WinSCP (Windows Secure Copy) is a popular free SFTP, FTP, S3, SCP client and open source file manager with SSH file transfer capabilities that is downloaded over 400,000 times a week from SourceForge alone. Unfortunately, experts have warned that the BlackCat ransomware group (aka ALPHV) is creating fake sites that imitate the official WinSCP for Windows app site and are actively promoting them on Google and Bing. Instead of the real WinSCP, hackers distribute malware-infected installers.
Hackers Use WinSCP as Bait
This malicious campaign seems to target system administrators, web administrators, and IT professionals, by infecting whose machines the attackers hope to gain initial access to corporate networks. Trend Micro analysts write that the attack starts with the fact that the victim searches for “WinSCP Download” in Bing or Google. Among the search results will be promoted malicious results that appear to be higher than the actual WinSCP download sites.
Malicious Sites Redirect Visitors to Clones of the Official WinSCP Site
As a result, the victims click on advertising links and end up on sites created by BlackCat, where there are guides on how to perform file transfer using WinSCP. Interestingly, these sites do not contain anything malicious and are probably not detected by Google crawlers, but redirect visitors to a copy of the official WinSCP site with a download button. These clones use domain names that are as close as possible to the real winscp.net domain (for example, winscp[.]com).
By clicking on the download button, the victim receives an ISO image containing the setup.exe and msi.dll files, the first of which is a decoy to be launched by the user, and the second is a malware dropper that is launched by the executable file. Ultimately, the executable file pythonw.exe is installed on the victim’s machine, which loads a modified and obfuscated python310.dll library containing a Cobalt Strike beacon that connects to the hackers’ control server.
Hackers Use Tools for Lateral Movement
After launching Cobalt Strike, hackers are able to execute additional scripts, deploy tools for lateral movement, and generally deepen the compromise further. Trend Micro analysts report that in the subsequent stages of the attack, ALPHV operators use the following tools: AdFind is a command line tool used to retrieve Active Directory (AD) information; PowerShell commands – used to collect user data, extract ZIP files, and execute scripts; AccessChk64 is a command line tool used to collect data about user and group permissions; Findstr is a command line tool used to find passwords in XML files; PowerView – PowerSploit script used for AD reconnaissance and enumeration; and Python scripts – used to run the malicious code.
It is important to note that the malicious campaign is still active and that users should be aware of the risks associated with downloading software from unknown sources. It is recommended to always download software from official websites and to be wary of any suspicious links or websites. Additionally, users should ensure that their antivirus software is up to date and that they have a reliable backup system in place in case of an attack.