Father
Professional
- Messages
- 2,602
- Reaction score
- 786
- Points
- 113
Malvertising continues to gain popularity.
Cybercriminals have come up with a sophisticated scheme to infect corporate networks with malicious software. They place advertisements in search engines such as Google with links to download popular utilities for Windows. However, victims receive malicious files instead of legitimate programs.
According to a report by cybersecurity company Rapid7 , attackers placed ads on Google promoting fake sites for downloading Putty and WinSCP. Putty is a popular SSH client, and WinSCP is used for secure file sharing over the SFTP and FTP protocols. These programs are widely used by system administrators, making them a valuable target for hackers.
The ads contained links to sites with domain names that are very similar to the names of legitimate resources, for example puutty.org, vvinscp.net and other consonant variants with typos. When a user clicked on a link from an ad, they were prompted to download a ZIP archive supposedly containing the desired program.
However, inside the archive were not the utilities themselves, but the malicious Setup executable file.an exe masquerading as a Python installer. When running this file, a complex mechanism was activated for injecting malicious code through the Sideloading DLL vulnerability. Attackers replaced the legitimate library python311.dll to your malicious version.
The downloaded malicious DLL unpacked and ran an encrypted Python script that installed the dangerous Sliver tool for remote access to the system. Hackers could use it to download other malicious utilities, such as Cobalt Strike backdoors.
After gaining initial access to the corporate network, the attackers stole confidential data, tried to gain full control over the domain controller, and eventually deployed a ransomware program to encrypt the victim's files.
Rapid7 experts noted the similarity of this campaign with recently tracked attacks that used the BlackCat/ALPHV ransomware, which was defused last year. However, the specific family of ransomware is not disclosed in this case.
The use of fake search ads to spread malware has become widespread in the last couple of years. This technique is called malvertising. The attackers placed ads for software like CPU-Z, Notepad++, Grammarly, Mktorrent, Dashlane, and many other well-known programs.
Most recently, hackers bought ads with the legitimate URL of the Whales Market crypto exchange, but the link led to a phishing site for stealing cryptocurrency from visitors. Thus, this scheme poses a serious threat to both businesses and ordinary users.
Experts urge to be wary of third-party links to download programs, even if they are advertised in popular search engines. The preferred method is to download the software only from the official developer sites.
Cybercriminals have come up with a sophisticated scheme to infect corporate networks with malicious software. They place advertisements in search engines such as Google with links to download popular utilities for Windows. However, victims receive malicious files instead of legitimate programs.
According to a report by cybersecurity company Rapid7 , attackers placed ads on Google promoting fake sites for downloading Putty and WinSCP. Putty is a popular SSH client, and WinSCP is used for secure file sharing over the SFTP and FTP protocols. These programs are widely used by system administrators, making them a valuable target for hackers.
The ads contained links to sites with domain names that are very similar to the names of legitimate resources, for example puutty.org, vvinscp.net and other consonant variants with typos. When a user clicked on a link from an ad, they were prompted to download a ZIP archive supposedly containing the desired program.
However, inside the archive were not the utilities themselves, but the malicious Setup executable file.an exe masquerading as a Python installer. When running this file, a complex mechanism was activated for injecting malicious code through the Sideloading DLL vulnerability. Attackers replaced the legitimate library python311.dll to your malicious version.
The downloaded malicious DLL unpacked and ran an encrypted Python script that installed the dangerous Sliver tool for remote access to the system. Hackers could use it to download other malicious utilities, such as Cobalt Strike backdoors.
After gaining initial access to the corporate network, the attackers stole confidential data, tried to gain full control over the domain controller, and eventually deployed a ransomware program to encrypt the victim's files.
Rapid7 experts noted the similarity of this campaign with recently tracked attacks that used the BlackCat/ALPHV ransomware, which was defused last year. However, the specific family of ransomware is not disclosed in this case.
The use of fake search ads to spread malware has become widespread in the last couple of years. This technique is called malvertising. The attackers placed ads for software like CPU-Z, Notepad++, Grammarly, Mktorrent, Dashlane, and many other well-known programs.
Most recently, hackers bought ads with the legitimate URL of the Whales Market crypto exchange, but the link led to a phishing site for stealing cryptocurrency from visitors. Thus, this scheme poses a serious threat to both businesses and ordinary users.
Experts urge to be wary of third-party links to download programs, even if they are advertised in popular search engines. The preferred method is to download the software only from the official developer sites.
