BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising

2023-07-03 04:46

Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.

"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week.

Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising.

The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery.

Despite the dynamic nature of the cybercrime ecosystem, as nefarious cyber actors come and go, and some operations partner together, shut down, or rebrand their financially motivated schemes, ransomware continues to be a constant threat.

"Rhysida is a 64-bit Portable Executable Windows cryptographic ransomware application compiled using MINGW/GCC," SentinelOne said in a technical write-up.

News URL

https://thehackernews.com/2023/07/blackcat-operators-distributing.html

#malvertising #ransomware

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Winscp		1	0	6	1	2	9