EXECUTIVE SUMMARY:
A recent campaign has been observed distributing trojanized installers for the popular utilities WinSCP and PuTTY through malicious advertisements on search engines. Users, particularly IT team members seeking legitimate versions of these tools, are redirected to typo-squatted domains. These domains host cloned websites or simple download pages that serve a zip archive containing the trojanized installers. The infection chain culminates in the deployment of malware, including ransomware in some cases. This campaign uses sophisticated methods such as DLL side-loading to execute its payloads and is designed to gain elevated privileges on compromised systems.
Upon execution, the renamed setup.exe, a copy of pythonw.exe, loads a malicious DLL named python311.dll through DLL side-loading. This DLL then proxies legitimate requests to a renamed legitimate DLL, facilitating stable malware execution. The malicious DLL contains an encrypted resource that, once decrypted, unpacks additional components, including a legitimate installer for the sought software to avoid user suspicion. Concurrently, a malicious Python script is executed, which decrypts and injects a Sliver beacon DLL, allowing the threat actor to establish persistence and further compromise the system. The observed techniques include the use of NTAPI functions for evasion, resource decryption using AES-256, and reflective DLL injection to execute payloads directly from memory.
To mitigate these threats, it is crucial to verify the sources of downloaded software and confirm the integrity of the files through hash checks and valid signatures. Blocking or redirecting DNS requests for suspicious domains, can also prevent access to malicious sites. IT teams, who are primary targets, must exercise heightened caution, as their compromised accounts provide attackers with significant access and the ability to blend malicious activities with legitimate administrative actions. Implementing these measures can help protect against such sophisticated campaigns and maintain the integrity of IT systems.
THREAT PROFILE:
Tactic | Technique Id | Technique |
Resource Development | T1583 | Acquire Infrastructure |
Initial Access | T1189 | Drive-by Compromise |
Execution | T1106 | Native API |
T1204 | User Execution | |
T1059 | Command and Scripting Interpreter | |
Persistence | T1543 | Create or Modify System Process |
T1053 | Scheduled Task/Job | |
Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
T1222 | File and Directory Permissions Modification | |
T1574 | Hijack Execution Flow | |
T1027 | Obfuscated Files or Information | |
T1055 | Process Injection | |
Lateral Movement | T1570 | Lateral Tool Transfer |
Exfiltration | T1567 | Exfiltration Over Web Service |
Impact | T1486 | Data Encrypted for Impact |
REFERENCES:
The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-windows-admins-via-putty-winscp-malvertising/