Rapid7 details an ongoing malvertising campaign that pushes trojanized installers for WinSCP and PuTTY via search ads, with the infection sometimes resulting in ransomware deployment. The operation targets IT teams, uses DLL side-loading and DLL search-order hijacking, and leverages Sliver and Cobalt Strike for post-infection control, plus evasive techniques to hinder analysis.
#Nitrogen #ALPHV #BlackCat #Sliver #CobaltStrike #WinSCP #PuTTY #Restic #DNSTwist
#Nitrogen #ALPHV #BlackCat #Sliver #CobaltStrike #WinSCP #PuTTY #Restic #DNSTwist
Keypoints
- Campaign distributes trojanized WinSCP and PuTTY installers via malicious search-engine ads, redirecting to typo-squatted domains.
- Infection begins when a user downloads and runs a renamed, benign-looking setup.exe that loads a malicious DLL (DLL side-loading with DLL search order hijacking).
- The payload decrypts a resource inside the DLL, unpacks a Sliver beacon, and can download additional payloads (including Cobalt Strike beacons).
- Post-compromise activities include persistence via scheduled tasks and services, SMB pivoting, and data exfiltration attempts (Restic) followed by ransomware deployment in some cases.
- Techniques include native API resolution, anti-evasion (ETW/AMSI), and obfuscation to hinder detection.
- MITRE ATT&CK mappings confirm a broad set of tactics from initial access to impact, with rapid detections and mitigations outlined.
MITRE Techniques
- [T1583.008] Acquire Infrastructure: Malvertising β The threat actor uses ads to promote malware delivery via popular search engines. [ βThe threat actor uses ads to promote malware delivery via popular search engines.β ]
- [T1189] Drive-by Compromise β The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware. [ βThe user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware.β ]
- [T1106] Native API β The malware dynamically resolves and executes functions from ntdll.dll at runtime. [ βThe malware dynamically resolves and executes functions from ntdll.dll at runtime.β ]
- [T1204.002] User Execution: Malicious File β The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll. [ βThe user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll.β ]
- [T1059.006] Command and Scripting Interpreter: Python β The malware executes a python script to load and execute a Sliver beacon. [ βThe malware executes a python script to load and execute a Sliver beacon.β ]
- [T1543.003] Create or Modify System Process: Windows Service β The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present. [ βThe threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present.β ]
- [T1053.005] Scheduled Task/Job: Scheduled Task β The threat actor creates a scheduled task to execute a C2 beacon. [ βThe threat actor creates a scheduled task to execute a C2 beacon.β ]
- [T1140] Deobfuscate/Decode Files or Information β The malware uses various string manipulation and obfuscation techniques. [ βThe malware uses various string manipulation and obfuscation techniques.β ]
- [T1222.001] File and Directory Permissions Modification: Windows File and Directory Permissions Modification β The malware calls chmod to change file permissions prior to execution. [ βThe malware calls chmod to change file permissions prior to execution.β ]
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking β The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory. [ βThe malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory.β ]
- [T1574.002] Hijack Execution Flow: DLL Side-Loading β The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL. [ βThe malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL.β ]
- [T1027.002] Obfuscated Files or Information: Software Packing β The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats. [ βThe final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats.β ]
- [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File β The malware also stores other file dependencies with several layers of obfuscation. [ βThe malware also stores other file dependencies with several layers of obfuscation.β ]
- [T1055.001] Process Injection: Dynamic-link Library Injection β The malware loads a Sliver beacon DLL via python script. [ βThe malware loads a Sliver beacon DLL via python script.β ]
- [T1570] Lateral Movement: Lateral Tool Transfer β The threat actor uses SMB via Cobalt Strike to pivot post compromise. [ βThe threat actor uses SMB via Cobalt Strike to pivot post compromise.β ]
- [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage β The threat actor attempts to exfiltrate data to a backup using Restic. [ βThe threat actor attempts to exfiltrate data to a backup using Restic.β ]
- [T1486] Data Encrypted for Impact β The threat actor attempts the deployment of ransomware after exfiltrating data. [ βThe threat actor attempts the deployment of ransomware after exfiltrating data.β ]
Indicators of Compromise
- [Domain] β wnscp.net (Typo-squatted domain used in malvertising campaigns) and puttyy.org (typographical variant), areauni.com (hosting malicious zip), and other typosquatted domains β Context: domains observed in campaign infrastructure and redirection.
- [Domain] β puttty.org, puTTY.org, putty.org (typo domains used in the flow) β Context: additional typosquatted domains noted in the campaign.
- [IPv4] β 91.92.253.80, 82.221.136.24 (C2/hosting addresses) β Context: observed as part of the network infrastructure contacting malware.
- [IPv4] β 185.82.219.92, 91.92.242.183 (C2 addresses) β Context: additional C2 addresses associated with operations.
- [File] β python311.dll (SHA256: CD7D59105B0D0B947923DD9ED371B9CFC2C2AA98F29B2AFBDCD3392AD26BDE94) β Context: malicious DLL sideloaded by setup.exe; Original name: python311_WinSCP.dll.
- [File] β DellAPC.exe (SHA256: 8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324) β Context: dropped post compromise.
- [File] β putty-64bit-0.78-installer.msi β Context: MSI package created during infection sequence.
Read more: https://blog.rapid7.com/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/