Keypoints
- Initial access via malvertising: malicious ads for legitimate apps (e.g., WinSCP) redirected users to cloned download pages that served an ISO.
- The ISO contained setup.exe (renamed msiexec.exe) and msi.dll; msi.dll acted as a dropper extracting a Python environment and a real installer.
- Two Python installs were created: a legitimate copy in %AppDataLocal% and a trojanized copy in %Public%Musicpython with a malicious python310.dll and pythonw.exe run key persistence.
- Trojanized Python loaded an obfuscated Cobalt Strike beacon that contacted multiple C2 servers (IP and domain-based endpoints) and used in-memory execution via marshal-compiled scripts.
- Post-compromise activity included AD enumeration (AdFind, PowerView, Get-ADUser), credential theft using LaZagne, remote execution (WMI, PsExec), lateral movement, and exfiltration via PSCP.
- Actors attempted to disable endpoint protections with KillAV scripts and the SpyBoy terminator; attempts to stop some defenses failed due to agent self-protection.
- Observed activity led to a BlackCat (ALPHV) infection in a related case and artifacts possibly tied to Cl0p ransomware were found on a C2 domain.
MITRE Techniques
- [T1204.002] User Execution: Malicious Link – initial access via a malicious ad and cloned download page: ‘A malicious ad for the WinSCP application is displayed… the user selects the “Download” button, an ISO file is downloaded.’
- [T1189] Drive-by Compromise – web-based delivery and weaponization through malvertising and cloned sites: ‘malvertising for the WinSCP application that leads to a malicious website.’
- [T1105] Ingress Tool Transfer – transfer of installer files and payloads (ISO, setup.exe, msi.dll, Python packages): ‘an ISO file is downloaded… it contains two files, setup.exe and msi.dll.’
- [T1547.001] Registry Run Keys/Start Folder – persistence via a Run key named “Python”: ‘create a persistence mechanism to make a run key named “Python” and the value C:UsersPublicMusicpythonpythonw.exe.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – remote and local execution of PowerShell reconnaissance and helper scripts: ‘IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127[.]0[.]0[.]1:40347/’); Invoke-FindLocalAdminAccess -Thread 50.’
- [T1555] Credentials from Password Stores – credential theft using LaZagne executed via pseudo-compiled Python code: ‘execute a pseudo-compiled code for LaZagne.’
- [T1087] Account Discovery – AD enumeration using AdFind and Get-ADUser to list computers and users: ‘adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName’ and ‘Get-ADUser -Filter * -Properties * | Select … | Export-CSV “C:userspublicmusicADusers.csv”‘
- [T1047] Windows Management Instrumentation – remote process creation via WMI/wmic to launch python-based beacons: ‘wmic /NODE:”” process call create C:userspublicvideospythonpythonw.exe C:userspublicvideospythonwork2-2.py.’
- [T1041] Exfiltration Over C2 Channel – use of PSCP to transfer gathered data offsite: ‘used PuTTY Secure Copy client (PSCP) to transfer the gathered information.’
- [T1562.001] Impair Defenses: Disable or Modify Tools – attempts to disable/evade endpoint protections using KillAV scripts and the SpyBoy terminator: ‘dropped a detailed KillAV BAT script…attempts to stop Windows Defender’ and use of ‘SpyBoy terminator’.
Indicators of Compromise
- [Domain] Malicious download/redirect sites – winsccp[.]com (cloned WinSCP site), events.drdivyaclinic[.]com (ISO host)
- [IP / C2] Beacon and payload C2 endpoints – 167[.]88[.]164[.]141 (beacon contact), hxxps://167.88.164.40/python/pp2 and hxxps://172.86.123.127:8443/work2z (other C2s)
- [File names] Delivered and dropped files – setup.exe (renamed msiexec.exe), msi.dll (dropper), pythonw.exe / python310.dll (trojanized Python runtime)
- [Scripts & tools] Tools observed in environment – AdFind.exe (AD enumeration), AccessChk64 (permissions), LaZagne (credential recovery), AnyDesk renamed install.exe (remote persistence)
- [Scheduled tasks / registry] Persistence artifacts – Run key ‘Python’ → C:UsersPublicMusicpythonpythonw.exe, multiple scheduled tasks executing Python scripts
Malvertising redirected users searching for legitimate software (e.g., “WinSCP Download”) to a cloned site that delivered an ISO. When mounted, the ISO contained setup.exe (a renamed msiexec.exe) and msi.dll; the DLL unpacked a Python folder and installed two Python environments—one legitimate in %AppDataLocal% and one trojanized in %Public%Musicpython with a malicious python310.dll and pythonw.exe, and it created a Run key named “Python” for persistence.
The trojanized Python runtime loaded an obfuscated Cobalt Strike beacon that contacted multiple C2 endpoints (e.g., 167.88.164.141 and domain/IP-based C2 URLs listed in the article). Operators used marshal-based pseudo-compiled Python scripts, scheduled tasks, WMI remote process creation, PsExec, BitsAdmin, and curl to execute beacons in-memory, move laterally, and deploy tools (AdFind, PowerView, AccessChk64) for AD enumeration. Credential theft was automated via LaZagne-executing Python scripts, and exfiltration used PSCP; defenders observed attempts to disable protections via KillAV BAT scripts and the SpyBoy terminator while the attackers installed AnyDesk (renamed install.exe) for persistence.
Detection and containment hinged on identifying the malvertising-driven download chain, the ISO contents (setup.exe, msi.dll), the trojanized Python installation and Run key persistence, Cobalt Strike network indicators, and the use of AD reconnaissance and credential-exfiltration scripts. Rapid IR actions removed the actor before final payload execution; defenders should hunt for these artifacts, block the listed domains/IPs, and monitor for the described persistence and in-memory beacon behaviors.