Threat Research

DNS Early Detection – Malicious Trojan Installers for WINSCP and PUTTY – Breaking the Kill Chain

Infoblox

In early March 2024, Rapid7 uncovered a campaign distributing malicious trojanized installers for the legitimate utilities WinSCP and PuTTY, primarily targeting IT professional search habits. These malicious downloads are spread via ads on popular search engines directing users to lookalike websites. The threat actors behind the campaign remain unidentified, and analysis has led to new indicators of compromise and detection rules. Affected: WinSCP, PuTTY, IT Sector

Keypoints :

  • Campaign identified in early March 2024 by Rapid7.
  • Malicious trojanized installers are for the utilities WinSCP and PuTTY.
  • Distribution through malicious ads on popular search engines.
  • Targeting IT team members who search for legitimate downloads.
  • Infection chain starts with deceptive search results leading to malicious downloads.
  • Six malicious domains identified and blocked by Infoblox before OSINT availability.
  • Malware grants elevated access and obfuscates administrative actions.
  • Threat actors remain unknown, but analysis includes new IOCs and detection rules.
  • Early detection by Infoblox showcases significant differences in response times compared to OSINT.
  • Recommendations for organizations to assess their security posture.

MITRE Techniques :

  • Resource Development – Acquire Infrastructure: Malvertising (T1583.008): Ads are used to promote malware delivery via popular search engines.
  • Initial Access – Drive-by Compromise (T1189): The user clicks on a malicious ad and is redirected to malware-hosting pages.
  • Execution – Native API (T1106): Malware dynamically resolves and executes functions from ntdll.dll at runtime.
  • User Execution: Malicious File (T1204.002): The user downloads and executes a trojanized setup file, which loads malicious DLLs.
  • Command and Scripting Interpreter: Python (T1059.006): Malware executes a Python script to load and execute a Sliver beacon.
  • Persistence – Create or Modify System Process: Windows Service (T1543.003): A service is created to execute a C2 beacon.
  • Scheduled Task/Job: Scheduled Task (T1053.005): A scheduled task is created to execute a C2 beacon.
  • Defense Evasion – Deobfuscate/Decode Files or Information (T1140): The malware uses string manipulation techniques.
  • Process Injection: Dynamic-link Library Injection (T1055.001): The malware loads a DLL via a Python script.
  • Exfiltration – Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002): Attempts to exfiltrate data using a backup utility.
  • Impact – Data Encrypted for Impact (T1486): Ransomware deployment attempted after data exfiltration.

Indicator of Compromise :

  • Domain: puttyy[.]org
  • Domain: puutty[.]org (Zero Day DNS)
  • Domain: putyy[.]org
  • Domain: vvinscp[.]net
  • Domain: winnscp[.]net

Full Story: https://blogs.infoblox.com/threat-intelligence/dns-early-detection-malicious-trojan-installers-for-winscp-and-putty-breaking-the-kill-chain/