A well-known ransomware group is pushing fake ads to lure people into visiting webpages that spoof the official WinSCP (Windows Secure Copy) site, experts have warned.
BlackCat, also known as ALPHV, has loaded the pages with malware installers that infect the victim when they visit. BleepingComputer claims that the group hopes to target “system administrators, web admins, and IT professionals for initial access to valuable corporate networks.”
These users would be most interested in using WinSCP, as the client is open source and allows for SSH file transfer with file management capabilities, allowing for secure transfers between local machines and remote servers. It also can also act as an WebDAV and Amazon S3 client.
The fake ads were spotted on Google and Bing search pages, with Trend Micro, who first spotted the campaign, noting that searches for “WinSCP Download” on these sites leads to the malicious ads being promoted above safe and legitimate results.
The fake websites that the links in these ads lead to have a tutorial on using WinSCP. These sites in themselves are not dangerous, helping them to avoid detection by Google, but they do redirect visitors to a fake version of the WinSCP site with similar domain names, such as winsccp[.]com (the real site is winscp.net).
On these fake sites is a download button, which when clicked, downloads an ISO file containing the malware. This malware sets up a connection with the attacker’s command-and-control server, and can lay the ground for further penetration of the target system, such as retrieving Active Directory (AD) information, extracting files and obtaining Veeam credentials.
It also uses SpyBoy, a known terminator that can disable endpoint protection and antivirus software. BleepingComputer notes that this can go for as much as $3,000 on hacking forums. It can escalate privileges on a system and then disable them.
In addition to BlackCat, Trend Micro also says it also found a Clop ransomware file in one of the attacker’s C2 domains, suggesting that they may be linked to multiple ransomware operations.