Ransomware group BlackCat (also known as ALPHV) is using Google and Bing search ads promoting a well-known file-transfer app as a lure to drop malicious payloads and infect corporate networks with malware.
The malvertising campaign directs anyone who clicks on the malicious ads to a spoofed download page for WinSCP, a popular open-source Windows application used to copy files between a local computer and remote servers using a range of transfer protocols.
In a June 30 research report, Trend Micro researchers Lucas Silva, RonJay Caragay, Arianne Dela Cruz and Gabriel Cardoso outlined how Trend Micro worked with a victim that was compromised through the campaign.
The report describes the range of tools, techniques and procedures (TTPs) deployed during the attack – including legitimate and illegitimate tools, scripts and commands – and how, in another investigation, they identified similar TTPs leading to a BlackCat infection.
In the first case, the threat attacker was successfully removed from the victim’s network, but not before they gained and abused top-level administrator privileges, attempted to establish persistence and planted backdoor access to the network using remote management tools including AnyDesk. Next, adversaries attempted to steal passwords and access backup servers.
“It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence,” the researchers said.
How ads led to compromise
WinSCP is a useful tool for IT professionals, especially system administrators and web administrators, making it an ideal bate to use to attract victims with access to the type of corporate networks BlackCat seeks to target.
“The infection starts once the user searches for ‘WinSCP Download’ on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer,” the researchers said.
Users are then directed to a cloned WinSCP download webpage at winsccp[.]com – an address similar to the legitimate WinSCP site, winscp.net – where they are prompted to download a malicious ISO file.
The ISO contains two files: setup.exe, a renamed msiexec.exe executable, and msi.dll, a delayed-loaded DLL that acts as a dropper for a real WinSCP installer plus a malicious Python execution environment that downloads Cobalt Strike beacons.
The attacker’s toolkit
Cobalt Strike is a red team penetration testing tool used in attack simulations. Cracked versions of the tool have become increasingly popular with threat actors.
Other tools used in the attack included AdFind, which is used to retrieve and display information from Active Directory environments. “In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction,” Trend Micro’s report said.
“We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.”
The attackers used Windows command-line tool findstr to search for a specific string within XML files on the compromised system.
“It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD,” the researchers said.
PowerShell was used to execute scripts, including PowerView, part of the PowerSploit collection of penetration testing scripts used by threat actors to gather information about Active Directory environments.
Command-line tools PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.
KillAV BAT script was used in an unsuccessful attempt to disable or bypass antivirus or antimalware programs installed on the system, and the threat actor installed AnyDesk in a bid to maintain persistence.
Similar TTPs point to BlackCat
In Trend Micro’s subsequent investigation, where similar TTPs led to the identification of a BlackCat infection, the researchers said additional tools were also used.
“Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoy Terminator in an attempt to tamper with protection provided by agents,” they wrote.
“In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C (command-and-control) domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.” (The Clop ransomware group was responsible for the recent MOVEit Transfer attacks.)
A Twitter user posted that a malvertising campaign with similar TTPs used ads for AnyDesk, rather than WinSCP, as the lure.
Trend Micro has published known indicators of compromise for the attacks.
“In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate,” the researchers wrote.
“In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.”