Keypoints
- Attackers used malvertising (likely Dynamic Search Ads) to place a malicious ad for “WinSCP” above the legitimate winscp.net result, redirecting users to a phishing site.
- The phishing flow downloads a zip named WinSCP_v.6.1.zip containing a renamed signed pythonw.exe (setup.exe) and a malicious python311.dll which is sideloaded to start the chain.
- The sideloaded DLL drops a collection of Python binaries and libraries into %LOCALAPPDATA% (Notepad directory) and executes an obfuscated Python script (slv.py) via pythonw.exe.
- slv.py contains compressed marshaled Python bytecode which is decompressed and exec()’d, after which the payload beacons to C2 servers (e.g., 141.98.6[.]195, 194.180.48[.]42) over 443/8443.
- Additional persistence and escalation use renamed msiexec (update.exe) to sideload msi.dll payloads (JetBrains folders) which also beaconed to C2 and executed enumeration commands.
- Persistent tasks were created (masquerading as legitimate tasks) to run update.exe and pythonw.exe with slv.py, enabling long-term access.
- The report provides multiple IOCs (domains, IPs, file hashes, filenames) and recommended mitigations such as verifying download sources and monitoring AppData and process activity.
MITRE Techniques
- [T1583.008] Acquire Infrastructure: Malvertising – Attackers purchased/leveraged ad placements and compromised sites to host and serve malicious ads. (‘malvertising…leveraging WinSCP lures along with a stealthy infection chain’)
- [T1204.001] User Execution: Malicious Link – Users are tricked into clicking an ad placed above the legitimate site which redirects to the phishing lure. (‘The ad appears before the legitimate website for WinSCP which is https://winscp.net.’)
- [T1204.002] User Execution: Malicious File – The fraudulent site serves a ZIP installer (WinSCP_v.6.1.zip) that contains the malicious installer and hidden payloads. (‘When the “DOWNLOAD WINSCP 6.1.2” link is clicked, the file is downloaded… WinSCP_v.6.1.zip.’)
- [T1574.002] Hijack Execution Flow: DLL Side-Loading – A renamed signed pythonw.exe (setup.exe) is used to sideload a malicious python311.dll which executes attacker code. (‘setup.exe is a renamed legitimate “pythonw.exe”… the hidden python311.dll is sideloaded’)
- [T1059.006] Command and Scripting Interpreter: Python – The attacker drops and executes obfuscated Python scripts (slv.py, wo15.py) that decompress, marshal, and exec payload bytecode. (‘decompresses it using the zlib library… marshaled… exec()’)
- [T1105] Ingress Tool Transfer – The sideloaded components download and run additional tooling, including a legitimate WinSCP installer to blend in. (‘it downloads and executes a legitimate WinSCP installer… saved to the user’s downloads folder and executed’)
- [T1036.005] Masquerading: Match Legitimate Name or Location – Phishing domains mimic winscp.net and scheduled tasks masquerade as legitimate update tasks to evade detection. (‘phishing domain hxxps://winccp[.]net… attempts to masquerade as a legitimate scheduled task starting with “onedrive standalone update task”’)
- [T1053] Scheduled Task/Job – Persistence is achieved by creating scheduled tasks that execute the renamed msiexec (update.exe) and pythonw.exe with the malicious scripts. (‘we observed three unique tasks being created’)
Indicators of Compromise
- [Domain] malicious/phishing infrastructure – winccp[.]net, gaweeweb[.]com, and other domains (pr-uae[.]com hosting the zip)
- [IP Address] C2 servers – 141.98.6[.]195, 194.180.48[.]42, and 194.169.175[.]221
- [File name] lure and payload files – WinSCP_v.6.1.zip, setup.exe (renamed pythonw.exe)
- [File hash] analyzed payload hashes – WinSCP_6.1.2-Setup.zip: 6EB977F30B1D54E450118381F345DB2546613D1AF5D4D097B0E8D4769962A581, setup.exe: 24385D352B83222DC5AB92FA57B6649854ECD74DE378E279D8AC20A0B3B16009, and 7 more hashes
- [Port] C2 communication ports – connections observed over 8443 and 443 (used by pythonw.exe and update.exe)
Attack flow and technical procedure: The campaign begins with malicious ads (likely Dynamic Search Ads) surfacing above legitimate search results for “WinSCP,” redirecting victims via a compromised WordPress site (gaweeweb[.]com) to a lookalike domain (winccp[.]net) that serves WinSCP_v.6.1.zip from a compromised host (pr-uae[.]com). The zip contains a signed, renamed pythonw.exe (presented as setup.exe) plus hidden components including a malicious python311.dll; running setup.exe causes the DLL to be sideloaded and executed without a GUI.
On execution, the malicious python311.dll downloads and runs a legitimate WinSCP installer to maintain legitimacy, then drops a collection of Python binaries and libraries into %LOCALAPPDATA%Notepad (e.g., pythonw.exe, slv.py, wo15.py, python DLLs). The slv.py payload holds a single large compressed string of marshaled Python bytecode which the script decompresses (zlib), unmarshals, and executes via exec(); immediately after execution the payload beacons to C2 servers (observed 141.98.6[.]195:8443 and 194.180.48[.]42:443) establishing remote control and executing reconnaissance commands (e.g., whoami, net group queries).
Later stages create JetBrains-named directories with update.exe (renamed msiexec.exe) that sideload a malicious msi.dll, which then loads a second malicious DLL (Meterpreter-like) and beacons to another C2 (194.169.175[.]221:8443). Persistence is implemented via scheduled tasks masquerading as legitimate update tasks that launch update.exe and pythonw.exe with slv.py, enabling recurring execution and maintaining access. Key defensive actions include blocking/IAT monitoring for unexpected msiexec/msi.dll loads, alerting on process sideloading and execution from AppData paths, and monitoring outbound connections to the listed C2 IPs and domains.