Actors associated with BlackCat ransomware have been observed using malvertising techniques to distribute malicious installers for the WinSCP file transfer application.
“Malicious actors used malvertising to distribute malware via cloned web pages of legitimate organizations,” Trend Micro researchers said in an analysis released last week. “In this case, the distribution included her webpage for the well-known application WinSCP, an open source Windows application for file transfer.”
Malvertising is the use of SEO poisoning techniques to spread malware through online advertisements. It usually aims to hijack a set of selected keywords, display fake ads on Bing or Google search results pages, and redirect unsuspecting users to cursory pages.
The idea is to trick a user searching for an application like WinSCP into downloading malware (in this example, a backdoor containing a Cobalt Strike Beacon that connects to a remote server for subsequent operations), while network detection is to use legitimate tools such as AdFind that facilitate .
The access granted by Cobalt Strike was further exploited to download numerous programs to perform reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY). Secure Copy client). We’ve also seen security software tampering with the Bring Your Own Vulnerable Driver (BYOVD) attack using Terminator defense evasion tools.
In the attack chain detailed by the cybersecurity firm, attackers steal top-level administrative privileges to perform post-exploitation activities, use remote monitoring and management tools like AnyDesk to set persistence, , or to access the backup server.
“In particular, since the attackers had already successfully gained initial access to domain admin privileges and had begun to establish backdoors and persistence, the enterprise could have been significantly impacted by the attack if later intervention was sought. It is very likely that they did,” Trend Micro said. .
This development is just the latest example of attackers leveraging the Google Ads platform to deliver malware. In November 2022, Microsoft revealed an attack campaign used to deploy his BATLOADER using advertising services to drop the Royal ransomware.
This also coincides with the release of a free decryption tool for the fledgling Akira ransomware by Czech cybersecurity firm Avast to help victims recover their data without having to pay operators. increase. First appearing in March 2023, Akira has since expanded its target footprint to include Linux systems.
“Akira has some similarities to the Conti v2 ransomware, which may indicate that the malware author was inspired by at least the leaked Conti source,” Avast researchers said. . The company did not disclose how it cracked the ransomware’s encryption algorithm.
The Conti/TrickBot syndicate, aka Gold Ulrick or ITG23, was shut down in May 2022 after suffering a series of disruptive events triggered by the launch of Russia’s invasion of Ukraine. However, this electronic crime group, albeit a smaller organization, continues to exist to this day despite using shared cryptographic tools and infrastructure to distribute warez.
During a recent scrutiny, IBM Security X-Force discovered that gang crypters, applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis. , Aresloader and Canyon are also being used to spread new malware strains. , CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, Vidar.
“Previously, these cryptographic tools were primarily used by core malware families associated with ITG23 and its close partners,” said security researchers Charlotte Hammond and Ole Vilasen. rice field. “However, the split in ITG23 and the emergence of new factions, affiliations and methods are affecting how Cryptor is used.”
Despite the dynamic nature of the cybercriminal ecosystem, nefarious cyber attackers come and go, causing ransom attacks, such as some businesses partnering up or shutting down or rebranding schemes for funding. ware continues to be an ongoing threat.
This includes the emergence of a new Ransomware as a Service (RaaS) group called Rhysida. The group primarily targets the education, government, manufacturing and technology sectors in Western Europe, the Americas and Australia.
“Rhysida is a 64-bit Portable Executable (PE) Windows-encrypting ransomware application compiled using MINGW/GCC,” SentinelOne states in a technical document. “In each sample analyzed, the program name of the application was set to Rhysida-0.1, suggesting that the tool is in early stages of development.”
