Campaigns
Malvertising Attacks: A New Threat for Windows Administrators - PuTTy and WinSCP

Malvertising Attacks: A New Threat for Windows Administrators - PuTTy and WinSCP

PuTTyWinSCPReflectiveDLLInjectionBlackCatALPHVMalvertising
In March 2024, attackers initiated a sophisticated campaign by distributing compromised installers for WinSCP and PuTTY through malicious ads. These installers contained a renamed pythonw.exe file, which loaded a malicious DLL, side-loading a legitimate DLL to inject a Sliver beacon via reflective DLL injection. This allowed the attackers to establish persistence, download additional payloads, steal data, and deploy ransomware with tactics resembling those of the BlackCat/ALPHV group.

Indicators of Compromise

vvinscp.net
wnscp.net
fkm-system.com
puttty.org
areauni.com
puttyy.org
mkt.geostrategy-ec.com
putyy.org
puutty.org
winnscp.net

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATIONS

Resource Development

  • T1583.008: Acquire Infrastructure: Malvertising

    • Implement comprehensive ad-blocking solutions across the organization's network.

    • Educate users on the dangers of clicking on ads and encourage the use of official software download sources.

Initial Access

  • T1189: Drive-by Compromise

    • Employ secure web gateways and advanced threat protection solutions to monitor and block malicious websites.

    • Encourage users to verify URLs before downloading software and use trusted sources.

Execution

  • T1106: Native API

    • Implement endpoint protection solutions that can detect and block suspicious API calls.

    • Regularly update endpoint security solutions to recognize new threats.

  • T1204.002: User Execution: Malicious File

    • Use application whitelisting to prevent unauthorized software execution.

    • Train users to recognize phishing and other social engineering tactics.

  • T1059.006: Command and Scripting Interpreter: Python

    • Restrict the execution of scripting languages like Python on endpoints where they are not necessary.

    • Use script-blocking tools and monitor script execution logs for anomalies.

Persistence

  • T1543.003: Create or Modify System Process: Windows Service

    • Monitor and restrict the creation of new services.

    • Use endpoint detection and response (EDR) tools to alert on suspicious service creation activities.

  • T1053.005: Scheduled Task/Job: Scheduled Task

    • Regularly audit scheduled tasks and jobs.

    • Implement alerts for the creation of new scheduled tasks, especially those not conforming to typical patterns.

Defense Evasion

  • T1140: Deobfuscate/Decode Files or Information

    • Use advanced malware detection tools capable of identifying and analyzing obfuscated code.

    • Conduct regular code reviews and employ static and dynamic analysis tools.

  • T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Enforce strict file and directory permissions.

    • Use tools to monitor and alert on changes to critical file permissions.

  • T1574.001: Hijack Execution Flow: DLL Search Order Hijacking

    • Implement system hardening measures to secure the DLL search order.

    • Use tools to monitor and alert on suspicious DLL loads.

  • T1574.002: Hijack Execution Flow: DLL Side-Loading

    • Employ endpoint security solutions capable of detecting DLL side-loading attempts.

    • Regularly audit and verify DLL files on critical systems.

  • T1027.002: Obfuscated Files or Information: Software Packing

    • Use advanced threat detection tools to unpack and analyze packed files.

    • Train security teams to recognize signs of software packing.

  • T1027.013: Obfuscated Files or Information: Encrypted/Encoded File

    • Implement data loss prevention (DLP) solutions to monitor and control data encryption activities.

    • Use tools that can detect and analyze encoded or encrypted files.

  • T1055.001: Process Injection: Dynamic-link Library Injection

    • Use EDR tools to detect and block process injection attempts.

    • Regularly review and update security policies to address injection techniques.

Lateral Movement

  • T1570: Lateral Tool Transfer

    • Monitor and restrict the use of tools like SMB for lateral movement.

    • Use network segmentation to limit lateral movement opportunities.

Exfiltration

  • T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage

    • Implement DLP solutions to monitor and block unauthorized data exfiltration attempts.

    • Use web application firewalls (WAFs) to detect and prevent data transfers to unauthorized cloud storage services.

Impact

  • T1486: Data Encrypted for Impact

    • Regularly back up critical data and ensure backups are stored securely and offline.

    • Use ransomware protection solutions to detect and block encryption activities.

    • Train users to recognize and respond to ransomware threats.

By following these remediation steps, organizations can effectively mitigate the threats posed by the described campaign.



Reports & References1

Observed Countries250

AD (84)
AE (306)
AF (774)
AG (39)
AI (831)
AL (303)
AM (711)
AO (458)
AQ (459)
AR (26)
AS (403)
AT (506)
AU (318)
AW (81)
AX (790)
AZ (610)
BA (869)
BB (276)
BD (943)
BE (425)
BF (536)
BG (850)
BH (785)
BI (73)
BJ (317)
BL (603)
BM (178)
BN (451)
BO (885)
BQ (794)
BR (86)
BS (826)
BT (20)
BV (24)
BW (678)
BY (37)
BZ (213)
CA (237)
CC (787)
CD (386)
CF (368)
CG (171)
CH (1)
CI (829)
CK (301)
CL (665)
CM (557)
CN (975)
CO (846)
CR (806)
CU (614)
CV (202)
CW (509)
CX (803)
CY (637)
CZ (505)
DE (747)
DJ (661)
DK (805)
DM (315)
DO (895)
DZ (298)
EC (675)
EE (835)
EG (321)
EH (846)
ER (691)
ES (854)
ET (470)
FI (104)
FJ (196)
FK (237)
FM (180)
FO (39)
FR (155)
GA (351)
GB (290)
GD (670)
GE (721)
GF (168)
GG (418)
GH (830)
GI (165)
GL (873)
GM (683)
GN (503)
GP (899)
GQ (777)
GR (1)
GS (754)
GT (677)
GU (522)
GW (566)
GY (762)
HK (568)
HM (683)
HN (373)
HR (737)
HT (34)
HU (233)
ID (492)
IE (462)
IL (884)
IM (538)
IN (357)
IO (101)
IQ (864)
IR (175)
IS (360)
IT (597)
JE (208)
JM (860)
JO (753)
JP (863)
KE (593)
KG (516)
KH (732)
KI (757)
KM (12)
KN (769)
KP (408)
KR (733)
KW (367)
KY (949)
KZ (631)
LA (539)
LB (836)
LC (772)
LI (728)
LK (552)
LR (928)
LS (912)
LT (52)
LU (674)
LV (651)
LY (395)
MA (600)
MC (855)
MD (534)
ME (175)
MF (497)
MG (319)
MH (799)
MK (24)
ML (881)
MM (230)
MN (419)
MO (311)
MP (239)
MQ (637)
MR (33)
MS (874)
MT (545)
MU (599)
MV (670)
MW (237)
MX (479)
MY (742)
MZ (419)
NA (214)
NC (507)
NE (471)
NF (397)
NG (620)
NI (448)
NL (204)
NO (476)
NP (957)
NR (438)
NU (790)
NZ (262)
OM (223)
PA (629)
PE (751)
PF (304)
PG (957)
PH (282)
PK (764)
PL (714)
PM (668)
PN (201)
PR (590)
PS (796)
PT (270)
PW (351)
PY (817)
QA (532)
RE (767)
RO (213)
RS (27)
RU (94)
RW (79)
SA (801)
SB (522)
SC (499)
SD (485)
SE (14)
SG (228)
SH (829)
SI (814)
SJ (745)
SK (367)
SL (983)
SM (571)
SN (898)
SO (115)
SR (410)
SS (161)
ST (686)
SV (613)
SX (699)
SY (546)
SZ (563)
TC (985)
TD (667)
TF (773)
TG (575)
TH (166)
TJ (885)
TK (141)
TL (89)
TM (292)
TN (767)
TO (277)
TR (174)
TT (303)
TV (933)
TW (22)
TZ (685)
UA (357)
UG (855)
UM (494)
US (968)
UY (846)
UZ (607)
VA (442)
VC (218)
VE (675)
VG (583)
VI (355)
VN (595)
VU (479)
WF (760)
WS (229)
XK (336)
YE (826)
YT (51)
ZA (361)
ZM (524)
ZW (445)