PuTTy and WinSCP malvertising effort targets Windows admins

A ransomware attack targets Windows system administrators using Google advertisements to promote fake download sites that could deploy PuTTy and WinSCP.

According to reports, system admins became a prime target for this campaign as they typically have more rights on a Windows network. Hence, if an attacker can infect them, they can quickly propagate over a network, steal data, and get access to a network’s domain controller to deliver ransomware.

 

The PuTTy and WinSCP campaigns use ads to promote their infection process.

 

Researchers stated that a search engine campaign featured ads for bogus PuTTy and WinSCP websites when users searched for WinSCP or Putty. However, they could not specify whether the promo was conducted on Google or Bing as the investigation remains unclear.

Recent scans also revealed that these advertisements utilised typosquatted domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net.

While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the actual one.

Once a target clicks these bogus sites, it will display download links that may redirect them to genuine websites or download a ZIP archive from the threat actor’s servers, depending on whether they were sent by a search engine or another site in the campaign.

Subsequently, the downloaded ZIP packages contain two executables, which are the Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll.

When the pythonw.exe program is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL to a malicious version loaded through a DLL sideloading.

When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and starts an encrypted Python script. This script will then install the Sliver post-exploitation toolkit, a popular tool for gaining access to corporate networks.

Separate research claims that the threat actor remotely used Sliver to deploy other payloads, including Cobalt Strike beacons. The hacker used this access to steal data and try to install a ransomware encryptor.

Search engine advertising has been a massive issue in the past years since numerous threat actors use it to promote malware and phishing sites. These ads featured prominent apps such as Grammarly, Keepass, CPU-Z, Notepad++, MSI Afterburner, Slack, Dashlane, 7-Zip, CCleaner, and VLC, among others, to increase the legitimacy of their malicious campaigns.

Windows administrators should be careful when downloading products from unknown sources. Users should be meticulous with websites and double-check for typosquatted names to avoid downloading malicious apps that could lead to ransomware infections or other cybercriminal campaigns.