The BlackCat ransomware group launched a malvertising campaign to push Cobalt Strike. They put up advertisements to attract people to fake WinSCP pages. Instead of the application, the victims download malware.
WinSCP (Windows Secure Copy) is a well-known SFTP, FTP, S3, SCP, and file manager that supports SSH file transfers. It is free and open-source software, 400,000 people download it every week from SourceForge alone.
The BlackCat or ALPHV group has populated web pages with malware installers that infect visitors, primarily aiming to target system administrators, web admins, and IT professionals in order to gain initial access to valuable corporate networks, according to BleepingComputer.
WinSCP is particularly appealing to users who prioritize secure file transfers and efficient file management. With its open-source nature, the client supports SSH file transfer, enabling safe exchanges between local machines and remote servers. Additionally, it serves as a versatile tool, functioning as both a WebDAV and Amazon S3 client.
Once victims click on the ads, they will land on a page with tutorials about performing automated file transfers with WinSCP. This is not a malicious site and will bypass detection.
Nevertheless, users are redirected to a copy of the official WinSCP page including a download button. The clones will even have a similar domain name to the legitimate one, such as winsccp[.]com.
The pythonw.exe loads a modified, obfuscated version of python310.dll with a Cobalt Strike beacon that establishes a connection to a command-and-control server address.
In subsequent stages of the infection, the operators of BlackCat employed several tools, including:
- AdFind: a command-line tool utilized for retrieving Active Directory (AD) information.
- PowerShell commands: used for gathering user data, extracting ZIP archives, and executing scripts.
- AccessChk64: a command-line tool employed for examining user and group permissions.
- Findstr: a command-line tool utilized to search for passwords within XML files.
- PowerView: a PowerSploit script employed for Active Directory reconnaissance and enumeration.
- Python scripts: used to execute the LaZagne password recovery tool and retrieve Veeam credentials.
- PsExec, BitsAdmin, and Curl: employed for lateral movement within the network.
- AnyDesk: a legitimate remote management tool abused for maintaining persistence.
- KillAV BAT script: employed to evade antivirus and antimalware software.
- PuTTY Secure Copy client: used for exfiltrating information.