Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising

A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP.

WinSCP and Putty are popular Windows utilities, with WinSCP being an SFTP client and FTP client and Putty an SSH client.

System administrators commonly have higher privileges on a Windows network, making them valuable targets for threat actors who want to quickly spread through a network, steal data, and gain access to a network's domain controller to deploy ransomware.

A recent report by Rapid7 says that a search engine campaign displayed ads for fake Putty and WinSCP sites when searching for download winscp or download putty. It is unclear if this campaign took place on Google or Bing.

These ads used typosquatting domain names like puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. 

While these sites impersonated the legitimate site for WinSCP (winscp.net), the threat actors imitated an unaffiliated site for PuTTY (putty.org), which many people believe is the real site. The official site for PuTTY is actually https://www.chiark.greenend.org.uk/~sgtatham/putty/.

These sites include download links that, when clicked, will either redirect you to legitimate sites or download a ZIP archive from the threat actor's servers based on whether you were referred by a search engine or another site in the campaign.

The downloaded ZIP archives contain a Setup.exe executable, which is a renamed and legitimate executable for Python for Windows (pythonw.exe) , and a malicious python311.dll file.

When the pythonw.exe executable is launched, it will attempt to launch a legitimate python311.dll file. However, the threat actors replaced this DLL with a malicious version loaded instead using DLL Sideloading.

When a user runs the Setup.exe, thinking it's installing PuTTY or WinSCP, it loads the malicious DLL, which extracts and executes an encrypted Python script.

This script will ultimately install the Sliver post-exploitation toolkit, a popular tool used for initial access to corporate networks.

Rapid7 says the threat actor used Sliver to remotely drop further payloads, including Cobalt Strike beacons. The hacker used this access to exfiltrate data and attempt to deploy a ransomware encryptor.

While Rapid7 shared limited details about the ransomware, the researchers say the campaign is similar to those seen by Malwarebytes and Trend Micro, which deployed the now-shutdown BlackCat/ALPHV ransomware.

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," explains Rapid7's Tyler McGraw.

"The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year."

Search engine advertisements have become a massive problem over the past couple of years, with numerous threat actors utilizing them to push malware and phishing sites.

These advertisements were for popular programs, including Keepass, CPU-Z, Notepad++, Grammarly, MSI Afterburner, Slack, Dashlane, 7-Zip, CCleaner, VLC, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

More recently, a threat actor took out Google ads that included the legitimate URL for the crypto trading platform Whales Market. However, the ad led to a phishing site containing a cryptodrainer to steal visitors' cryptocurrency.