Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,563
- Points
- 113
Securonix researchers have uncovered a malicious campaign implemented through a fake WinSCP.
Cybercriminals manipulate the results of Google search results and place fake advertisements in it, deceiving users who are trying to install legitimate WinSCP software.
Securonix tracks this hacking activity under the name "SEO#LURKER". According to the researchers, the malicious ad redirects users to the hacked "gameeweb [.] com" website on WordPress, which then redirects them to a phishing site controlled by the attackers.
To create ad redirects, attackers use dynamic Google search ads. The main purpose of this multi-step attack is to attract users to a fake WinSCP site with the domain "winccp [.] net" and convince them to download malware.
It is noteworthy that the success of redirection directly depends on the correctness of the specified link header. If the link is entered incorrectly, hackers simply "rickroll" the unsuspecting user.
Returning to the successful redirect scenario, it is worth noting that the malware is delivered as a ZIP archive containing an executable file. When running it, the Sideloading DLL is used to execute a malicious DLL, while a genuine WinSCP installer is needed to maintain the veil of deception.
Further malicious actions are provided by Python scripts that are unpacked and activated in the background. These scripts are designed to communicate with the attackers remote server and receive further instructions to execute commands on the infected device.
Based on the use of Google Ads to distribute malware, it is assumed that the target of the campaign is users who purposefully search for WinSCP software, but there is no certainty that hackers will not apply a similar scenario to any other popular software.
So, at the end of last month, we already informed you about a malvertising campaign uncovered by researchers from Malwarebytes, aimed at developers who search for PyCharm in the Google search bar. Of course, instead of the desired software, naive victims downloaded malware to their computer.
Recently, malvertising has become increasingly popular among cybercriminals, with many very similar malicious campaigns.
Cybercriminals manipulate the results of Google search results and place fake advertisements in it, deceiving users who are trying to install legitimate WinSCP software.
Securonix tracks this hacking activity under the name "SEO#LURKER". According to the researchers, the malicious ad redirects users to the hacked "gameeweb [.] com" website on WordPress, which then redirects them to a phishing site controlled by the attackers.
To create ad redirects, attackers use dynamic Google search ads. The main purpose of this multi-step attack is to attract users to a fake WinSCP site with the domain "winccp [.] net" and convince them to download malware.
It is noteworthy that the success of redirection directly depends on the correctness of the specified link header. If the link is entered incorrectly, hackers simply "rickroll" the unsuspecting user.
Returning to the successful redirect scenario, it is worth noting that the malware is delivered as a ZIP archive containing an executable file. When running it, the Sideloading DLL is used to execute a malicious DLL, while a genuine WinSCP installer is needed to maintain the veil of deception.
Further malicious actions are provided by Python scripts that are unpacked and activated in the background. These scripts are designed to communicate with the attackers remote server and receive further instructions to execute commands on the infected device.
Based on the use of Google Ads to distribute malware, it is assumed that the target of the campaign is users who purposefully search for WinSCP software, but there is no certainty that hackers will not apply a similar scenario to any other popular software.
So, at the end of last month, we already informed you about a malvertising campaign uncovered by researchers from Malwarebytes, aimed at developers who search for PyCharm in the Google search bar. Of course, instead of the desired software, naive victims downloaded malware to their computer.
Recently, malvertising has become increasingly popular among cybercriminals, with many very similar malicious campaigns.
