October 3, 2023

Researchers have spotted BlackCat ransomware gang is using Google and Bing search ads promoting a well-known file-transfer app as a lure to drop malicious payloads and infect with malware.

The research report states the TTPs deployed during the attack including legitimate and illegitimate tools, scripts, and commands leading to a BlackCat infection.

The malvertising campaign directs anyone who clicks on the malicious ads to a spoofed download page for WinSCP, a popular open-source Windows application used to copy files between a local computer and remote servers using a range of transfer protocols.

The threat actor gained and abused top-level administrator privileges, attempted to establish persistence, and planted backdoor access to the network using remote management tools including AnyDesk. Once after that the adversaries attempted to steal passwords and access backup servers.


Modes of Operandi

The infection starts once the user searches for ‘WinSCP Download’ – a tool used by the IT administrators on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.

Users are then directed to a cloned WinSCP download webpage at winsccp[.]com – an address like the legitimate WinSCP site, winscp.net – where they are prompted to download a malicious ISO file.

The ISO contains two files: setup.exe, a renamed msiexec.exe executable, and msi.dll, a delayed-loaded DLL that acts as a dropper for a real WinSCP installer plus a malicious Python execution environment that downloads Cobalt Strike beacons.

Other tools used in the attack included AdFind, which is used to retrieve and display information from Active Directory environments.


AccessChk64, a command-line tool primarily used for checking the security permissions and access rights of objects in Windows. This tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.

The attackers used Windows command-line tool findstr to search for a specific string within XML files on the compromised system. PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.

PowerShell was used to execute scripts, including PowerView, part of the PowerSploit collection of penetration testing scripts used by threat actors to gather information about Active Directory environments.

KillAV BAT script was used in an unsuccessful attempt to disable or bypass antivirus or antimalware programs installed on the system, and the threat actor installed AnyDesk in a bid to maintain persistence.

In relevant investigation similar TTPs led to the identification of a BlackCat infection additional tools were also used. One such tool is SpyBoy Terminator to tamper with protection provided by EDR agents.


To exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.

In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.

This research was documented by Trend Micro

Tactics and Techniques

TacticATT&CK IDDescription
ReconnaissanceT1589.001Gather Victim Identity Information: Credentials
Resource DevelopmentT1587.001Develop Capabilities: Malware
Resource DevelopmentT1588.002Obtain Capabilities: Tool
Initial AccessT1078.002Valid Accounts: Domain Accounts
ExecutionT1059.003Command and Scripting Interpreter: Windows Command Shell
Privilege EscalationT1548.002Abuse Elevation Control Mechanism: Bypass UAC
Defense EvasionT1222.001File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Defense EvasionT1070.001Indicator Removal on Host: Clear Windows Event Logs
DiscoveryT1087.002Account Discovery: Domain Account
DiscoveryT1083File and Directory Discovery
Lateral MovementT1570Lateral Tool Transfer
Command and ControlT1071.001Application Layer Protocol: Web Protocols
ExfiltrationT1048Exfiltration Over Alternative Protocol
ImpactT1486Data Encrypted for Impact
ImpactT1491.001Defacement: Internal Defacement

Indicators of Compromise

Leave a Reply

%d bloggers like this: