IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

15 May 2024

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past Appearance of the cloned WinSCP website. The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

Source: GBHackers

Date:

15 May 2024

Categorie(s):

NEWS

Tag(s):

Cyber Threats, Cybersecurity Threats, Malicious Software, Malware, Teams

Cyberthreats linked to foreign actors aim to hinder Election Day proceedings5 November 2024
DocuSign’s API used to lure victims into e-signing fake invoices5 November 2024
Schneider Electric ransomware crew demands $125k paid in baguettes5 November 2024
How to Become a Chief Information Officer: CIO Cheat Sheet5 November 2024
Research: Extending corporate life of laptops by just one year can reduce harmful emissions by 25%5 November 2024