BlackCat Ransomware Abuses ads to Spread Malware
Share this:
Researchers have spotted BlackCat ransomware gang is using Google and Bing search ads promoting a well-known file-transfer app as a lure to drop malicious payloads and infect with malware.
The research report states the TTPs deployed during the attack including legitimate and illegitimate tools, scripts, and commands leading to a BlackCat infection.
The malvertising campaign directs anyone who clicks on the malicious ads to a spoofed download page for WinSCP, a popular open-source Windows application used to copy files between a local computer and remote servers using a range of transfer protocols.
The threat actor gained and abused top-level administrator privileges, attempted to establish persistence, and planted backdoor access to the network using remote management tools including AnyDesk. Once after that the adversaries attempted to steal passwords and access backup servers.
Modes of Operandi
The infection starts once the user searches for ‘WinSCP Download’ – a tool used by the IT administrators on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
Users are then directed to a cloned WinSCP download webpage at winsccp[.]com – an address like the legitimate WinSCP site, winscp.net – where they are prompted to download a malicious ISO file.
The ISO contains two files: setup.exe, a renamed msiexec.exe executable, and msi.dll, a delayed-loaded DLL that acts as a dropper for a real WinSCP installer plus a malicious Python execution environment that downloads Cobalt Strike beacons.
Other tools used in the attack included AdFind, which is used to retrieve and display information from Active Directory environments.
AccessChk64, a command-line tool primarily used for checking the security permissions and access rights of objects in Windows. This tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.
The attackers used Windows command-line tool findstr to search for a specific string within XML files on the compromised system. PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.
PowerShell was used to execute scripts, including PowerView, part of the PowerSploit collection of penetration testing scripts used by threat actors to gather information about Active Directory environments.
KillAV BAT script was used in an unsuccessful attempt to disable or bypass antivirus or antimalware programs installed on the system, and the threat actor installed AnyDesk in a bid to maintain persistence.
In relevant investigation similar TTPs led to the identification of a BlackCat infection additional tools were also used. One such tool is SpyBoy Terminator to tamper with protection provided by EDR agents.
To exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.
In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.
This research was documented by Trend Micro
Tactics and Techniques
| Tactic | ATT&CK ID | Description |
| Reconnaissance | T1589.001 | Gather Victim Identity Information: Credentials |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1588.002 | Obtain Capabilities: Tool |
| Initial Access | T1078.002 | Valid Accounts: Domain Accounts |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism: Bypass UAC |
| Defense Evasion | T1222.001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
| Defense Evasion | T1070.001 | Indicator Removal on Host: Clear Windows Event Logs |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1083 | File and Directory Discovery |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1491.001 | Defacement: Internal Defacement |
Indicators of Compromise
- 5467df66778077cc387f4004f25aa20b1f9caec2e73b9928ec4fe57b6a2f63c
- 4a4d20d107ee8e23ce1ebe387854a4bfe766fc99f359ed18b71d3e01cb158f4a
- 13090722ba985bafcccfb83795ee19fd4ab9490af1368f0e7ea5565315c067fe
- 8859a09fdc94d7048289d2481ede4c98dc342c0a0629cbcef2b91af32d52acb5
- bacbe893b668a63490d2ad045a69b66c96dcacb500803c68a9de6cca944affef
- c7a5a4fb4f680974f3334f14e0349522502b9d5018ec9be42beec5fa8c1597fe
- 3ce4ed3c7bd97b84045bdcfc84d3772b4c3a29392a9a2eee9cc17d8a5e5403ce
- 21e7bcc03c607e69740a99d0e9ae8223486c73af50f4c399c8d30cce4d41e839
- e5db80c01562808ef2ec1c4b8f3f033ac0ed758d
- cfbde85bdb62054b5b9eb4438c3837b9f1a69f61
- 3b14559a6e33fce120a905fde57ba6ed268a51f1
- aae1b17891ec215a0e238f881be862b4f598e46c
- c82b28daeb33d94ae3cafbc52dbb801c4a5b8cfa
- d2663fc6966c197073c7315264602b4c6ba9c192
- c7568d00ae38b3a4691a413ed439a0e3fb5664b1
- 61e41be7a9889472f648a5a3d0b0ab69e2e056c5
- 69ffad6be67724b1c7e8f65e8816533a96667a36
- c1516915431cb55703b5a88d94ef6de0ac67190a
- a7b1853348346d5d56f4c33f313693a18b6af457
- ac8e3146f41845a56584ce5e8e172a56d59aa804
- e5d434dfa2634041cdbdac1dec58fcd49d629513
- 42da9e9e3152c1d995d8132674368da4be78bf6a
- 5cbb6978c9d01c8a6ea65caccb451bf052ed2acd
- a9310c3f039c4e2184848f0eb8e65672f9f11240
- 5e36a649c82fa41a600d51fe99f4aa8911b87828
- 5263a135f09185aa44f6b73d2f8160f56779706d
- 75d02e81cc326e6a0773bc11ffa6fa2f6fa5343e
- 9d85cb2c6f1fccc83217837a63600b673da1991a
- 2f2eb89d3e6726c6c62d6153e2db1390b7ae7d01
- 7d500a2cd8ea7e455ae1799cb4142bb2abac3ae1
- 0362c710e4813020147f5520a780a15ef276e229
- fb2ef2305511035e1742f689fce928c424aa8b7d
- 36b454592fc2b8556c2cb983c41af4d2d8398ea2
- 337ca5eefe18025c6028d617ee76263279650484
- e862f106ed8e737549ed2daa95e5b8d53ed50f87
- 2a85cdfb1c3434d73ece7fe60d6d2d5c9b7667dd
- d883be0ee79dec26ef8c04e0e2857a516cff050c
- a0f1a8462cb9105660af2d4240e37a27b5a9afad
- ab0eade9b8d24b09e32aa85f78a51b777861debc
- 0cc0e1cbf4923d2ce7179064c244fe138dcb3ce8
- 3789a218c966f175067242975e1cb44abdef81ec
- 83c5f8821f9a07e0318beaa4bcf0b7ef21127aa8
- 08f63693bb40504b71fe3e4e4d9e7142c011aeb1
- b34bb1395199c7b168d9204833fdfd13d542706d
- 5c6aa1a5bd7572ac8e91eaa5c9d6096f302f775b
- 9480a79b0b6f164b1148c56f43f3d505ee0b7ef3
- 7874d722a6dbaef9e5f9622d495f74957da358da
- 9b1ebbe03949e0c16338595b1772befe276cd10d
- 801950ed376642e537466795f92b04e13a4fcc2a
- 1ca4e3fdcdf8a9ab095cfa0629750868eb955eb7
- 42920e4d15428d4e7a8f52ae703231bdf0aec241
- 06e3f86369046856b56d47f45ea2f7cf8e240ac5
- f42e97901a1a3b87b4f326cb9e6cbdb98652d900
- d125c4f82e0bbf369caf1be524250674a603435c
- 03d7bc24d828abaf1a237b3f418517fada8ae64f
- c133992ea87f83366e4af5401a341365190df4e7
- b35be51d727d8b6f8132850f0d044b838fec001d
- fd84cf245f7a60c38ac7c92e36458c5ea4680809
- 946c0a0c613c8ac959d94bb2fd152c138fc752da
- 7b3051f8d09d53e7c5bc901262f5822f1999caae
- eeff22b4a442293bf0f5ef05154e8d4c7a603005
- 2547d2deedc385f7557d5301c19413e1cbf58cf8
- 0437f84967de62d8959b89d28a56e40247b595d8
- 105d33c00847ccd0fb230f4a7457e8ab6fb035fc
- 5831b3a830690c603fd093329dce93b9a7e83ad3
- a5c164b734a8b61d8af70257e23d16843a4c72e3
- 1aff9fd8fdc0eae3c09a3ee6b4df2cdb24306498
- 3d4051c65d1b5614af737cb72290ec15b71b75bd
- a116ef48119c542a2d864f41dbbb66e18d5cd4e6
- 508e7522db24cca4913aeed8218975c539d3b0a4
- 72603dadebc12de4daf2e12d28059c4a3dcf60d0
- 930bd974a2d01393636fdb91ca9ac53256ff6690
- a9a03d39705bd1d31563d7a513a170c99f724923
- c14bd9ad77d8beca07fb17dc34f8a5f636e621b5
- 01b122eb0edb6274b3743458e375e34126fd2f9a
- b98bb7b4c3b823527790cb62e26d14d34d3e499b
- 381058a5075ce06605350172e72c362786e8c5e3
- 75e9d507b1a1606a3647fe182c4ed3a153cecc2c
- cd485054625ea8ec5cf1fe0e1f11ede2e23dde00
- c9cdfdc45b04cca45b64fedca7c372f73b42cab2
- 31d4dadd11fe52024b1787a20b56700e7fd257f8
- 0fe306dc12ba6441ba2a5cab1b9d26638c292f9c
- bc0fb6b220045f54d34331345d1302f9a00b3580
- b4f59fe2ee3435b9292954d1c3ef7e74c233abea
- aee0b252334b47a6e382ce2e01de9191de2e6a7a
- 92673b91d2c86309f321ade6a86f0c9e632346d8
- de7fb8efa05ddf5f21a65e940717626b1c3d6cb4
- 5f455dcdca66df9041899708289950519971bb76
- 5ed1b9810ee12d2b9b358dd09c6822588bbb4a83
- c779a4a98925bc2f7feac91c1867a3f955462fc2
- cb358aa4ed50db8270f3ee7ea5848b8c16fa21fe
- 5ec6b30dacfced696c0145a373404e63763c2fa8
- f2f5137c28416f76f9f4b131f85252f8273baee8
- 12534212c7d4b3e4262edc9dc2a82c98c2121d04
- bc09ee8b42ac3f6107ab5b51a2581a9161e53925
- 152400be759355ec8dd622ec182c29ce316eabb1
- 379e497d0574fd4e612339440b603f380093655c
- 141c7b9be4445c1aad70ec35ae3fe02f5f8d37ac
- 27e9e6a54d73dcb28b5c7dfb4e2e05aaba913995
- ad981cd18f58e12db7c9da661181f6eb9a1754f3
- 4829eaa38bd061773ceefe175938a2c0d75a75f3
- b0d61d1eba9ebf6b7eabcd62b70936d1a343178e
- 014c277113c4b8c4605cb91b29302cdedbc2044e
- 974c1684cf0f3a46af12ba61836e4c161fd48cb5
- 913414069259e760e201d0520ce35fe22cf3c285
- https://cuororeresteadntno.com/how-to-work-with-ftp-ftps-connection-through-winscp/
- https://airplexacrepair.com/the-key-to-secure-remote-desktop-connections-a-comprehensive-guide/
- https://maker-events.com/automating-file-transfers-with-winscp/
- https://winsccp.com/WLPuVHrN
- https://anydeesk.net
- https://events.drdivyaclinic.com/wp-content/task/update/WinSCP-5.21.8-Setup.iso
- https://www.4shared.com/web/directDownload/wd0Bbaw6jq/gx1qdBDA.ab8ba6f7d1af2d0a5d81cf42aefe8e51
- https://www.yb-lawyers.com/wp-content/ter/anyconnect/AnyDesk.iso
- https://mm.onemakan.ml//wp/wp-content/winscp/smart/WinSCP-5.21.8-Setup.iso
- 104.234.11.236
- 157.254.195.108
- 157.254.195.83
- 167.88.164.141
- https://167.88.164.40/python/pp2
- https://172.86.123.127:8443/work2z
- https://172.86.123.127:8443/work2
- https://172.86.123.226:8443/work3z
- https://172.86.123.226:8443/work3
- https://193.42.32.58:8443/work2z
- https://193.42.32.58/python/pp
- https://193.42.32.58:8443/zakrep
- https://104.234.147.134/python/pp3.py
- http://45.12.253.50:447/work2
- https://45.66.230.240/python/pp3.py
- https://45.66.230.240:8443/work1
- http://45.66.230.240/python/pp
- https://firstclassbale.com/python/pp3.py
- 104.234.11.226
- 104.234.11.236
- 141.98.6.56
- 166.0.95.43
- 167.88.164.91
- 193.42.32.143
- 45.12.253.51
- 45.12.253.50
- 45.66.230.215
- 45.81.39.175
- 45.81.39.176
- 84.54.50.116
- 85.217.144.233
- aleagroupdevelopment.com
- azurecloudup.online
- cloudupdateservice.online
- devnetapp.com
- situotech.com
- http://104.234.147.134/python/python.zip
- https://167.88.164.40/python/python.zip
- http://172.86.123.226/python/python.zip
- https://45.66.230.240/python/python.zip
- https://closeyoueyes.com/python/python.zip
- https://firstclassbale.com/python/python.zip
- https://167.88.164.40/python/unzip.bat
- http://172.86.123.226/python/unzip.bat
- http://104.234.147.134/python/unzip.bat
- https://45.66.230.240/python/unzip.bat
- https://closeyoueyes.com/python/unzip.bat
- https://firstclassbale.com/python/unzip.bat
- https://167.88.164.40/python/pp3.py
- http://172.86.123.226/python/pp3.py
- ccloseyoueyes.com/python/pp3.py
- http:////bigallpack.com/union/desktop
