BlackCat Uses Malvertising to Push BackdoorAttackers Deploying Cloned WinSCP and SpyBoy Webpages to Inject Malware
The BlackCat ransomware-as-a-service group is developing a threat activity cluster using chosen keywords on webpages of legitimate organizations to deploy malicious malware.
An unnamed organization along with Trend Micro researchers discovered cybercriminals performing unauthorized activities within the company's network using a cloned webpage of WinSCP, an open-source Windows application for file transfer, and SpyBoy, a terminator that tampers with protection provided by agents.
"Malware distributors abuse the same functionality in a technique known as malvertising - hijacking keywords to display malicious ads that lure unsuspecting search engine users into downloading malware," according to the Trend Micro report.
Attackers stole top-level administrator privileges and also attempted to establish persistence and backdoor access to the customer environment using remote management tools.
The researchers said the tactics used in this campaign are similar to those used in previous campaigns conducted by BlackCat.
"Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response SpyBoy terminator in an attempt to tamper with protection provided by agents," they said.
To exfiltrate the data, the attackers used the PuTTY Secure Copy client to transfer the information. Further investigation of the command-and-control domains used by the threat actor led to the discovery of a possible relation with Clop ransomware.
Using SEO-poisoning techniques, unsuspecting users are tricked into downloading a cloned application containing a malware.
"The overall infection flow involves delivering the initial loader, fetching the bot core and ultimately dropping the payload, typically a backdoor," the researchers said.
The WinSCP application in this case contained a backdoor containing Cobalt Strike Beacon, which allows a remote server for follow-up operations.
Researchers also spotted threat actors using a few other tools, such as AdFind, which is designed to retrieve and display information from Active Directory environments.
"In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation and even password hash extraction," the researchers said. The malicious actors also used the AnyDesk remote management tool in the environment to maintain persistence.