A sophisticated ransomware campaign is targeting Windows system administrators by utilizing fake download sites for popular utilities Putty and WinSCP. These utilities, essential for secure file transfers and remote access, are promoted through search engine advertisements, making them prime targets for cybercriminals aiming to infiltrate and compromise entire networks.
The use of search engine advertisements to distribute malware has become increasingly prevalent, with numerous threat actors exploiting this method to target popular software.
Typosquatting and Fake Domains
According to a report by Rapid7, the campaign involves search engine ads that appear when users search for “download WinSCP” or “download Putty.” These ads direct users to typosquatting domains such as puutty.org, wnscp[.]net, and vvinscp[.]net. These domains mimic the legitimate site for WinSCP (winscp.net) and an unaffiliated site for PuTTY (putty.org), which is often mistaken as the official site. The genuine PuTTY site is actually hosted here.
Malicious Downloads and DLL Sideloading
The fake sites provide download links that either redirect users to legitimate sites or deliver a ZIP archive from the threat actor's server, depending on the referral source. The ZIP archive contains a Setup.exe file, a renamed legitimate Python for Windows executable (pythonw.exe), and a malicious python311.dll file. When executed, the legitimate pythonw.exe attempts to load the python311.dll. However, the threat actors have replaced this DLL with a malicious version that gets loaded instead, a technique known as DLL Sideloading. This process ultimately installs the Sliver post-exploitation toolkit, which is commonly used for initial access into corporate networks.
Deployment of Further Payloads
Rapid7's investigation reveals that the Sliver toolkit is then used to deploy additional malicious payloads, including Cobalt Strike beacons. These tools enable the attackers to exfiltrate data and attempt to deploy ransomware encryptors. Although Rapid7 has not disclosed extensive details about the ransomware used, the tactics observed are reminiscent of campaigns involving the now-defunct BlackCat/ALPHV ransomware. In one incident, the threat actor used the backup utility Restic for data exfiltration before attempting to deploy ransomware, which was ultimately thwarted.
More Details about the Ransomware Campaign
Rapid7 has observed the campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions. The infection chain typically begins after a user searches for a phrase such as “download winscp” or “download putty” on a search engine like Microsoft's Bing. The infection begins after the user has downloaded and extracted the contents of the zip archive and executed setup.exe, which is a renamed copy of pythonw.exe, the legitimate Python hidden console window executable.
The primary payload contained within python311.dll is a compressed archive encrypted and included within the DLL's resource section. During execution, this archive is unpacked to execute two child processes. The script systemd.py, executed via pythonw.exe, decrypts and executes a second Python script then performs decryption and reflective DLL injection of a Sliver beacon. Reflective DLL injection is the process of loading a library into a process directly from memory instead of from disk.
Threat Actors act Quickly
Rapid7 says the threat actor take quick action upon successful contact with the Sliver beacon, downloading additional payloads, including Cobalt Strike beacons. The access is then used to establish persistence via scheduled tasks and newly created services after pivoting via SMB. In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution.
The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year. Rapid7 recommends verifying the download source of freely available software. Check that the hash of the downloaded file(s) match those provided by the official distributor and that they contain a valid and relevant signature. DNS requests for permutations of known domains can also be proactively blocked or the requests can be redirected to a DNS sinkhole.
Rapid7 also noticed that impacted users are disproportionately members of information technology (IT) teams who are more likely to download installers for utilities like PuTTY and WinSCP for updates or setup. When the account of an IT member is compromised, the threat actor gains a foothold with elevated privileges which impedes analysis by blending in their actions.
