Hackers are using malvertising to target Windows system administrators in an attempt to infect them with ransomware.
In a recent campaign observed by cybersecurity researchers at Rapid7, hackers are impersonating two popular Windows utilities: WinSCP and Putty. WinSCP is an SFTP/FTP client, while Putty is an SSH client.
The campaign lacks creativity and relies on system admins being in a hurry, reckless, or overly trusting of search engines. The attackers create fake websites for popular tools such as PuTTY and WinSCP, such as puutty[.]org, wnscp[.]net, and vvinscp[.]net.
They then manipulate search engine results to ensure that the fake websites appear at the top when an admin searches for the tool, rather than typing the correct address or using a bookmark.
If the recipients fail to detect the deception, they will download and install malicious malware loaders, which will then deploy ransomware.
The researchers believe that in this campaign, the hackers may be distributing the BlackCat ransomware (also known as ALPHV). This ransomware was disabled following the successful breach of Change Healthcare, during which the company was reportedly extorted for $22 million. After this attack, the group took the money and terminated the entire operation.
Rapid7’s Tyler McGraw stated that “in a recent incident, we observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution. The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”
For some time now, security researchers have been warning users not to place too much trust in search engines, as they are often manipulated to display malicious websites in top search results.