WinSCP Exploited in Recent BlackCat Ransomware Group Operation

Hackers linked with the BlackCat ransomware have been noticed utilizing malvertising to circulate nasty installers of the WinSCP file transfer app.

Trend Micro researchers reported that hackers circulate a piece of malware via cloned webpages of legitimate organizations last week. In this case, this tricky distribution involved WinSCP open-source webpage application for file transfer.

WinSCP Malvertizing Trick Explained

Malvertising refers to the use of SEO corrupting procedures to distribute malware via online advertising. It essentially involves displaying bogus ads on Bing and Google search results in pages to redirect naive users to nasty web pages.

Furthermore, the goal is to exploit users searching for apps like WinSCP into downloading malware, in this situation, a backdoor that conceals a Cobalt Strike Beacon that links to a remote server for follow-up operations.

Meanwhile, legitimate tools like AdFind are further employed to promote web users’ login findings and exploit their naivety.

Subsequently, hackers pilfer top-level administrator authorization to execute post-exploitation movements and set up resistance utilizing remote monitoring and management tools like AnyDesk including access backup servers

Notably, the enterprise would have been substantially affected by the aggression if the intervention comes late, especially since the hacker already succeeded in accessing the domain administrator privileges and establishing backdoors, Trend Micro explained.

Microsoft Similar Discovery On Akira

In November 2022, Microsoft disclosed a malware aggression that disguised using the advertising service platform to deploy BATLOADER, simultaneously used to drop Royal ransomware.

Thereafter, Czech cybersecurity firm Avast released a free decryptor for the fledgling Akira ransomware to aid victims recover their data without having to pay the operators.

Since then, Akira ransomware, which first appeared in March 2023, has since evolved and expanded its target footprint to incorporate Linux systems.

Akira has a few similarities to the Conti v2 ransomware, which may suggest that the malware creator was at least spun by the leaked Conti sources, Avast researchers said.