Cybercrime as-a-service , Fraud Management & Cybercrime , Ransomware

BlackCat Uses Malvertising to Push Backdoor

Attackers Deploying Cloned WinSCP and SpyBoy Webpages to Inject Malware
BlackCat Uses Malvertising to Push Backdoor

The BlackCat ransomware-as-a-service group is developing a threat activity cluster using chosen keywords on webpages of legitimate organizations to deploy malicious malware.

See Also: OnDemand Panel Discussion | The Human Factor: Protecting Against Your Greatest Cybersecurity Risk

An unnamed organization along with Trend Micro researchers discovered cybercriminals performing unauthorized activities within the company's network using a cloned webpage of WinSCP, an open-source Windows application for file transfer, and SpyBoy, a terminator that tampers with protection provided by agents.

"Malware distributors abuse the same functionality in a technique known as malvertising - hijacking keywords to display malicious ads that lure unsuspecting search engine users into downloading malware," according to the Trend Micro report.

Attackers stole top-level administrator privileges and also attempted to establish persistence and backdoor access to the customer environment using remote management tools.

The researchers said the tactics used in this campaign are similar to those used in previous campaigns conducted by BlackCat.

"Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response SpyBoy terminator in an attempt to tamper with protection provided by agents," they said.

To exfiltrate the data, the attackers used the PuTTY Secure Copy client to transfer the information. Further investigation of the command-and-control domains used by the threat actor led to the discovery of a possible relation with Clop ransomware.

Attack Chain

Using SEO-poisoning techniques, unsuspecting users are tricked into downloading a cloned application containing a malware.

"The overall infection flow involves delivering the initial loader, fetching the bot core and ultimately dropping the payload, typically a backdoor," the researchers said.

The WinSCP application in this case contained a backdoor containing Cobalt Strike Beacon, which allows a remote server for follow-up operations.

Researchers also spotted threat actors using a few other tools, such as AdFind, which is designed to retrieve and display information from Active Directory environments.

"In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation and even password hash extraction," the researchers said. The malicious actors also used the AnyDesk remote management tool in the environment to maintain persistence.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.