Threat Advisory

Malicious Campaign Distributes Trojanized WinSCP and PuTTY Installers via Search Engine Ads

Threat: Malicious Campaign
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High

 

EXECUTIVE SUMMARY:

A recent campaign has been observed distributing trojanized installers for the popular utilities WinSCP and PuTTY through malicious advertisements on search engines. Users, particularly IT team members seeking legitimate versions of these tools, are redirected to typo-squatted domains. These domains host cloned websites or simple download pages that serve a zip archive containing the trojanized installers. The infection chain culminates in the deployment of malware, including ransomware in some cases. This campaign uses sophisticated methods such as DLL side-loading to execute its payloads and is designed to gain elevated privileges on compromised systems.

Upon execution, the renamed setup.exe, a copy of pythonw.exe, loads a malicious DLL named python311.dll through DLL side-loading. This DLL then proxies legitimate requests to a renamed legitimate DLL, facilitating stable malware execution. The malicious DLL contains an encrypted resource that, once decrypted, unpacks additional components, including a legitimate installer for the sought software to avoid user suspicion. Concurrently, a malicious Python script is executed, which decrypts and injects a Sliver beacon DLL, allowing the threat actor to establish persistence and further compromise the system. The observed techniques include the use of NTAPI functions for evasion, resource decryption using AES-256, and reflective DLL injection to execute payloads directly from memory.

To mitigate these threats, it is crucial to verify the sources of downloaded software and confirm the integrity of the files through hash checks and valid signatures. Blocking or redirecting DNS requests for suspicious domains, can also prevent access to malicious sites. IT teams, who are primary targets, must exercise heightened caution, as their compromised accounts provide attackers with significant access and the ability to blend malicious activities with legitimate administrative actions. Implementing these measures can help protect against such sophisticated campaigns and maintain the integrity of IT systems.

 

THREAT PROFILE:

Tactic Technique Id Technique
Resource Development T1583 Acquire Infrastructure
Initial Access T1189 Drive-by Compromise
Execution T1106 Native API
T1204 User Execution
T1059 Command and Scripting Interpreter
Persistence T1543 Create or Modify System Process
T1053 Scheduled Task/Job
Defense Evasion T1140 Deobfuscate/Decode Files or Information
T1222 File and Directory Permissions Modification
T1574 Hijack Execution Flow
T1027 Obfuscated Files or Information
T1055 Process Injection
Lateral Movement T1570 Lateral Tool Transfer
Exfiltration T1567 Exfiltration Over Web Service
Impact T1486 Data Encrypted for Impact

 

REFERENCES:

The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-windows-admins-via-putty-winscp-malvertising/

crossmenu