
Malvertising Attacks: A New Threat for Windows Administrators - PuTTy and WinSCP
In March 2024, attackers initiated a sophisticated campaign by distributing compromised installers for WinSCP and PuTTY through malicious ads. These installers contained a renamed pythonw.exe file, which loaded a malicious DLL, side-loading a legitimate DLL to inject a Sliver beacon via reflective DLL injection. This allowed the attackers to establish persistence, download additional payloads, steal data, and deploy ransomware with tactics resembling those of the BlackCat/ALPHV group.
Indicators of Compromise
Domains (10)
vvinscp.netwnscp.netfkm-system.computtty.orgareauni.computtyy.orgmkt.geostrategy-ec.computyy.orgpuutty.orgwinnscp.netHashes (60)
ed501e49b9418fcfaf56a2eff7adcf85a648bdee2c42bb09db8c11f024667bfac9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575cc583f071197ddd6fa88f2c2d993776ccf82366e319b6736a7ee94cca827790e9fdedface98601f0499abee61f613d5df89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a86104edd2fbe87547e905f789b069a7090a0aa248300a9f6c498f5305ae3cb871e9ec78ae62e6d51c05c4d6dd069622f442ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49edf0213e4b784a7e7e3b4c799862db6ea60e34d8e22eb5e72a980a8c2e9b36177725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faadb303769ec782ca8ec51d5586cf30b973e42cea9d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89cd7d59105b0d0b947923dd9ed371b9cfc2c2aa98f29b2afbdcd3392ad26bde94c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb104b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a362ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab02d8e4e5f74d38c8e1c9ad893e0cec1cc19aa08a43ecc87ac043fa825382a583+40 moreIPv4 (18)
94.158.244.3282.221.129.3982.221.136.2482.221.136.194.156.65.9894.156.67.83185.82.219.9291.92.249.10691.92.255.7791.92.249.15594.156.67.18891.92.255.7194.156.67.18594.156.65.11591.92.252.23891.92.244.4191.92.242.18391.92.253.80Notes
<span id="docs-internal-guid-3b4351f5-7fff-8931-339c-4b18779df8f4"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">In March 2024, a sophisticated ransomware campaign targeted Windows administrators through trojanized installers for WinSCP and PuTTY, distributed via malicious ads. These ads directed users to fake download sites where they inadvertently downloaded a renamed pythonw.exe and a malicious python311.dll. This setup executed a Sliver beacon, allowing attackers to deploy additional payloads, steal data, and eventually install ransomware. The techniques used closely resemble those employed by the notorious </span><a href="https://socradar.io/dark-web-profile-blackcat-alphv/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">BlackCat/ALPHV group</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">. This incident underscores the critical importance of downloading software from legitimate sources and strengthening cybersecurity defenses against such advanced threats.</span></div><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-5eff1f40-7fff-ee40-ee4f-a1a2c83aeb35"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="background-color: transparent; color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 12pt; font-weight: 700;">MITIGATIONS</span></div><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span id="docs-internal-guid-7993d9e2-7fff-88e3-7a9e-e8570e9de986"><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:12pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Verify Download Sources</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Ensure software is downloaded from official, verified sources, checking file hashes and signatures.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ad-Blocking Solutions</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Implement tools to reduce exposure to malvertising.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Endpoint Protection</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Use advanced endpoint protection to detect sophisticated techniques like reflective DLL injection.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Education</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Train employees to recognize phishing attempts and avoid untrusted software downloads.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regular Audits and Monitoring</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Conduct audits of system processes, services, and scheduled tasks. Monitor network traffic for C2 communications.</span></p></li><li style="list-style-type: disc; font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;" role="presentation"><span style="font-size: 10pt; background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Behavioral Analysis</span><span style="font-size: 10pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Employ tools to analyze application behavior in real-time to detect anomalies.</span></p></li></ul></span></div><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The TTP table below is intended to chart the operation schemes of attackers. In the next tab, it will be explained how precautions can be taken against these TTPs.</span></p><br><h2 style="line-height:1.38;background-color:#f8f8f8;margin-top:0pt;margin-bottom:4pt;padding:18pt 0pt 0pt 0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITRE ATT&CK Techniques</span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Tactic</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Technique</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Procedure</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Resource Development</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583/008/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1583.008</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Acquire Infrastructure: Malvertising</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor uses ads to promote malware delivery via popular search engines.</span></p></td></tr><tr style="height:91pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Initial Access</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1189/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1189</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Drive-by Compromise</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware.</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1106/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1106</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Native API</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware dynamically resolves and executes functions from ntdll.dll at runtime.</span></p></td></tr><tr style="height:77.5pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1204/002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1204.002</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: User Execution: Malicious File</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll.</span></p></td></tr><tr style="height:51.25pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/006/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059.006</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Command and Scripting Interpreter: Python</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware executes a python script to load and execute a Sliver beacon.</span></p></td></tr><tr style="height:91pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Persistence</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1543/003/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1543.003</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Create or Modify System Process: Windows Service</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present.</span></p></td></tr><tr style="height:51.25pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Persistence</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1053/005/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1053.005</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Scheduled Task/Job: Scheduled Task</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor creates a scheduled task to execute a C2 beacon.</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1140/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1140</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Deobfuscate/Decode Files or Information</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware uses various string manipulation and obfuscation techniques.</span></p></td></tr><tr style="height:77.5pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1222/001/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1222.001</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: File and Directory Permissions Modification: Windows File and Directory Permissions Modification</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware calls chmod to change file permissions prior to execution.</span></p></td></tr><tr style="height:77.5pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1574/001/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1574.001</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Hijack Execution Flow: DLL Search Order Hijacking</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory.</span></p></td></tr><tr style="height:91pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1574/002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1574.002</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Hijack Execution Flow: DLL Side-Loading</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL.</span></p></td></tr><tr style="height:77.5pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1027.002</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Obfuscated Files or Information: Software Packing</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats.</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/013/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1027.013</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Obfuscated Files or Information: Encrypted/Encoded File</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware also stores other file dependencies with several layers of obfuscation</span></p></td></tr><tr style="height:51.25pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Defense Evasion</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1055/001/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1055.001</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Process Injection: Dynamic-link Library Injection</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The malware loads a Sliver beacon DLL via python script.</span></p></td></tr><tr style="height:51.25pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Lateral Movement</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1570/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1570</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Lateral Tool Transfer</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor uses SMB via Cobalt Strike to pivot post compromise</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Exfiltration</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1567/002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1567.002</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Exfiltration Over Web Service: Exfiltration to Cloud Storage</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor attempts to exfiltrate data to a backup using Restic.</span></p></td></tr><tr style="height:64pt;"><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Impact</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1486/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1486</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">: Data Encrypted for Impact</span></p></td><td style="vertical-align:top;background-color:#f8f8f8;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(36, 43, 46); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The threat actor attempts the deployment of ransomware after exfiltrating data.</span></p></td></tr></tbody></table><br></div><div style="margin-left:0pt;" align="left"><br></div><div style="margin-left:0pt;" align="left"><br></div><div style="margin-left:0pt;" align="left"><br></div></span>