Security News > 2023 > July > BlackCat ransomware pushes Cobalt Strike via WinSCP search ads
The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.
The BlackCat attack observed by Trend Micro begins with the victim searching for "WinSCP Download" on Bing or Google and getting promoted malicious results ranked above the safe WinSCP download sites.
The victims click on those ads and visit a website that hosts tutorials about performing automated file transfers using WinSCP. These sites contain nothing malicious, likely to evade detection by Google's anti-abuse crawlers but redirect the visitors to a clone of the WinSCP official website featuring a download button.
Other tools used by ALPHV. Having Cobalt Strike running on the system, it is easy to execute additional scripts, fetch tools for lateral movement, and generally deepen the compromise.
BlackCat ransomware fails to extort Australian commercial law giant.
Malicious Windows kernel drivers used in BlackCat ransomware attacks.