BlackCat ransomware uses new malvertising technique to infect devices (July 12, 2023)

Ref# AL2023_57 | Date: Jul 12th 2023


The BlackCat ransomware group (ALPHAV) was seen utilizing malvertising campaigns to lure targets and compromise their devices with malware.


Advertising platforms available on Google Ads, Microsoft Bing and social media enable businesses to target audiences with advertisements to boost traffic and sales. However, threat actors can abuse this functionality by hijacking certain search keywords to display malicious ads on search engines that ultimately tricks users into downloading malware. This is called malvertising.

Recently during an investigation, researchers at Trend Micro discovered ALPHAV using malvertising to distribute malware via cloned webpages of legitimate organizations and software. In this case, the threat actors were using the well-known WinSCP file transfer installer to distribute their malware.

Malicious ads for the WinSCP download were displayed above organic results in the Microsoft Bing search engine. The ad leads to a suspicious website that gives a tutorial on using the WinSCP file transfer tool. From the first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). The original website has the URL Clicking on the Download button downloads an ISO file from an infected WordPress site hxxps://events.drdivyaclinic[.]com. However, the researchers stated that the final payload URL was changed recently to the file-sharing service 4shared. The ISO file contains two files:

  1. Setup.exe which is a renamed msiexec.exe executable
  1. msi.dll which is a delayed-loaded DLL that acts as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.

After Setup.exe is executed, it will call the msi.dll that extracts a python folder from RCDATA section of the dll file, containing a real installer for the WinSCP application. Two installations of python 3.10 will be created, a legitimate installation in %AppDataLocal%Python-3.10.10 and an installation in %Public%Musicpython containing a trojanized python310.dll file. Finally, msi.dll creates persistence by creating a registry key named Python which calls an executable in created folder C:UsersPublicMusicpython named pythonw.exe. The executable pythonw.exe is responsible for loading the trojanized python310.dll file, which is essentially a Cobalt Strike beacon that connects to the C2 (command and control) server 167[.]88[.]164[.]141.

Installing a Cobalt Strike beacon onto a compromised device grants the threat actors a lot of freedom for executing scripts, fetching tools, and installing malware. It depends on the motive of ALPHAV, which mostly revolves around retrieving any useful information from the compromised devices using various tools and then deploying the BlackCat ransomware. Some of the tools the researchers found utilized by ALPHAV are:

  • AdFind: command-line tool used for retrieving Active Directory (AD) information.
  • PowerShell commands used for gathering user data, extracting ZIP files, and executing scripts.
  • AccessChk64: command-line tool used for user and groups permission reconnaissance.
  • Findstr: command-line tool used for searching passwords within XML files.
  • PowerView: PowerSploit script used in AD reconnaissance and enumeration.
  • Python scripts: used for executing the LaZagne password recovery tool and obtaining Veeam credentials.
  • PsExec, BitsAdmin, and Curl, used for lateral movement
  • AnyDesk: legitimate remote management tool abused for maintaining persistence
  • KillAV BAT script used for disabling or bypassing antivirus and antimalware programs.
  • PuTTY Secure Copy client used for exfiltrating the collected information from the breached system.

ALPHAV also makes use of the tool called Terminator from a threat actor known as SpyBoy. Researchers stated the tool can bypass and disabling Endpoint Detection and Response (EDR) solutions and antivirus solutions.

Indicators of Compromise 

Please see the link for a list of IOCs including file hashes for the BlackCat ransomware, distribution, and redirect URLs, malicious WinSCP file hashes, cobalt strike beacon URLs and IP addresses:


To protect yourself against ransomware attacks such as BlackCat, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:

  1. Be wary of files downloaded from the internet. In this case ALPHAV uses a fake website to deliver the WinSCP file. It is important to be able to identify authentic websites by checking the URL for proper grammar and spelling. The design and images used by the website are also important as fake websites mimic the same design but there are often slight differences. Look for the padlock in the address bar and verify website authenticity by checking business pages if possible. Website authencity can also be verified through social media searches. All files should be downloaded from verified sources and scanned.
  1. It is recommended to avoid downloading torrents and pirated software as these software are mostly coupled with malware.
  1. Be wary of emails with suspicious attachments as these might be malicious in nature.
  1. Because most ransomware attacks are delivered through phishing and scams, it is necessary to educate users on how to spot phishing and scam emails.
  1. Maintain regular backups of critical systems and data in the case of a ransomware attack and the loss of data.
  1. Maintain and update all security software including anti-virus, anti-malware, firewalls, and endpoint protections.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: BlackCat ransomware uses new malvertising technique to infect devices.pdf