Recently searched:

Blackcat Operators Distributing Ransomware Disguised As Winscp Via MalvertisingNews 

[IMG]https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgrh5jHgqAdcerE_kHHScnqd4v5Xz70RsnDXtsaCt1_jbqlogH0wLFMT7BGzZN7DsIcyX8Ir8BKGJw_Os9XlWqLcpMvrCdWfmDqg9iuc_ocB-Jk7K7WMj7eGZ2mZfhQCc_m-hKQvftpaByY7yz1AMq6Wt3Bm60O3cwiEDYxeyHLe9jVgPyUxp39tasB8WA/s728-e3650/winscp.jpg[/IMG]

Threat actors associated with the You must be logged in to see this link. have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.

"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers You must be logged in to see this link. in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer."

You must be logged in to see this link. You must be logged in to see this link. to the use of You must be logged in to see this link. to spread malware via online advertising. It typically involves hijacking a chosen set of keywords to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages.

The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a You must be logged in to see this link. that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery.

The access afforded by Cobalt Strike is further abused to download a number of programs to conduct reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY Secure Copy client). Also observed is the use of the You must be logged in to see this link. defense evasion tool to tamper with security software by means of a Bring Your Own Vulnerable Driver (You must be logged in to see this link.) attack.

In the attack chain detailed by the cybersecurity company, the threat actors managed to steal top-level administrator privileges to conduct post-exploitation activities and attempted to set up persistence using remote monitoring and management tools like AnyDesk as well as access backup servers.

"It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence," Trend Micro said.





[IMG]https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi9d8jf6NWtZmrCEKLFg-sCdYI_m9VbmAGpZM5byCELa5SZ5K0xbRXBTkLIHvQ12MjdPDtbV_6msaJYVFurOK6rVU89M5SMGbNRsgY0MusUI7uC9gD-3ylnYBLFTOTiwtQOBZFPpo9MjxzajQ7UODe3n2YGifchUBNUUCwB_5_X8L9pvivOq7q8gRMo2xY/s728-e3650/hacking.jpg[/IMG]


The development is just the latest example of threat actors leveraging the Google Ads platform to serve malware. In November 2022, Microsoft You must be logged in to see this link. an attack campaign that leverages the advertising service to deploy BATLOADER, which is then used to drop Royal ransomware.

It also comes as Czech cybersecurity company Avast You must be logged in to see this link. a free decryptor for the fledgling Akira ransomware to help victims recover their data without having to pay the operators. Akira, which first appeared in March 2023, has since You must be logged in to see this link. to include Linux systems.

"Akira has a few similarities to the Conti v2 ransomware, which may indicate that the malware authors were at least inspired by the leaked Conti sources," Avast researchers said. The company did not disclose how it cracked the ransomware's encryption algorithm.

The Conti/TrickBot syndicate, aka Gold Ulrick or ITG23, You must be logged in to see this link. after suffering a series of disruptive events triggered by the onset of the Russian invasion of Ukraine. But the e-crime group continues to exist to this date, albeit as smaller entities and using shared crypters and infrastructure to distribute their warez.


IBM Security X-Force, in a recent deep dive, said the gang's crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are being used to also disseminate new malware strains such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, You must be logged in to see this link. (formerly Domino), You must be logged in to see this link., SVCReady, Vidar.

"Previously, the crypters were used predominantly with the core malware families associated with ITG23 and their close partners," security researchers Charlotte Hammond and Ole Villadsen You must be logged in to see this link.. "However, the fracturing of ITG23 and emergence of new factions, relationships, and methods, have affected how the crypters are used."

Despite the dynamic nature of the cybercrime ecosystem, as nefarious cyber actors come and go, and some operations partner together, shut down, or rebrand their financially motivated schemes, ransomware continues to be a You must be logged in to see this link..

This includes the emergence of a new ransomware-as-a-service (RaaS) group called Rhysida, which has primarily singled out education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia.

"Rhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC," SentinelOne You must be logged in to see this link. in a technical write-up. "In each sample analyzed, the application's program name is set to Rhysida-0.1, suggesting the tool is in early stages of development."






Source - THN
 
Thanks for your share, friend
 
Thats very elaborate. Do you have the name of the group?
 
thank you so much!
 
Home Register
Top Bottom