Malvertising campaigns are distributing trojanized PuTTY and WinSCP installers by abusing online ad networks and fake download sites, targeting Windows administrators. The attackers use typosquatting domains and deceptive ads to push ransomware and steal data, emphasizing a broader risk to essential admin tools. #PuTTY #WinSCP #typosquatting #malvertising #Rapid7 #SOCRadar
Keypoints
- Malvertising distributes malware by embedding malicious ads in legitimate online advertising networks.
- Windows administrators using PuTTY and WinSCP are targeted due to the tools’ popularity for SSH and file transfers.
- Attackers infiltrate ad networks, create deceptive ads, and redirect or download malware onto users’ devices.
- Recent campaigns involve fake download sites with typosquatting domains to lure victims into downloading trojanized installers.
- Trojanized installers deploy ransomware and can exfiltrate sensitive data once executed.
- Users face risks of ransomware, trojans, spyware, and potential credential theft.
- Defensive measures include robust security software, software updates, ad blockers, cautious browsing, and avoiding suspicious ads.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising campaigns infiltrate ad networks to distribute malware. ‘The malicious ads contain hidden code that either redirects users to infected websites or directly downloads malware onto their devices.’ [translated quote in English]
- [T1036] Masquerading – Fake websites mimicking legitimate software download pages, using typosquatting domains to make them appear genuine. ‘Users searching for PuTTY or WinSCP download pages are directed to these malicious sites via online search result ads.’ [translated quote in English]
- [T1204] User Execution – Users download trojanized installers from fake sites and run them, leading to compromise. ‘Upon downloading and extracting the .ZIP files posing as legitimate downloads from these mimic sites, a user can become compromised.’ [translated quote in English]
- [T1486] Data Encrypted for Impact – Trojanized installers deploy ransomware that encrypts files and disrupts operations. ‘These trojanized installers contain malicious payloads that, once executed, deploy ransomware and extract sensitive data from the affected systems.’ [translated quote in English]
- [T1041] Exfiltration – Infections may involve extracting sensitive data from affected systems. ‘…and extract sensitive data from the affected systems.’ [translated quote in English]
Indicators of Compromise
- [IOC Type] Not explicitly listed in article – no examples provided
Read more: https://socradar.io/malvertising-campaign-targets-windows-administrators-using-putty-and-winscp/