The BlackCat ransomware group (ALPHAV) was seen utilizing malvertising campaigns to lure targets and compromise their devices with malware.
Advertising platforms available on Google Ads, Microsoft Bing and social media enable businesses to target audiences with advertisements to boost traffic and sales. However, threat actors can abuse this functionality by hijacking certain search keywords to display malicious ads on search engines that ultimately tricks users into downloading malware. This is called malvertising.
Recently during an investigation, researchers at Trend Micro discovered ALPHAV using malvertising to distribute malware via cloned webpages of legitimate organizations and software. In this case, the threat actors were using the well-known WinSCP file transfer installer to distribute their malware.
Malicious ads for the WinSCP download were displayed above organic results in the Microsoft Bing search engine. The ad leads to a suspicious website that gives a tutorial on using the WinSCP file transfer tool. From the first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). The original website has the URL https://winscp.net/. Clicking on the Download button downloads an ISO file from an infected WordPress site hxxps://events.drdivyaclinic[.]com. However, the researchers stated that the final payload URL was changed recently to the file-sharing service 4shared. The ISO file contains two files:
After Setup.exe is executed, it will call the msi.dll that extracts a python folder from RCDATA section of the dll file, containing a real installer for the WinSCP application. Two installations of python 3.10 will be created, a legitimate installation in %AppDataLocal%Python-3.10.10 and an installation in %Public%Musicpython containing a trojanized python310.dll file. Finally, msi.dll creates persistence by creating a registry key named Python which calls an executable in created folder C:UsersPublicMusicpython named pythonw.exe. The executable pythonw.exe is responsible for loading the trojanized python310.dll file, which is essentially a Cobalt Strike beacon that connects to the C2 (command and control) server 167[.]88[.]164[.]141.
Installing a Cobalt Strike beacon onto a compromised device grants the threat actors a lot of freedom for executing scripts, fetching tools, and installing malware. It depends on the motive of ALPHAV, which mostly revolves around retrieving any useful information from the compromised devices using various tools and then deploying the BlackCat ransomware. Some of the tools the researchers found utilized by ALPHAV are:
ALPHAV also makes use of the tool called Terminator from a threat actor known as SpyBoy. Researchers stated the tool can bypass and disabling Endpoint Detection and Response (EDR) solutions and antivirus solutions.
Indicators of Compromise
Please see the link for a list of IOCs including file hashes for the BlackCat ransomware, distribution, and redirect URLs, malicious WinSCP file hashes, cobalt strike beacon URLs and IP addresses:
To protect yourself against ransomware attacks such as BlackCat, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.