A recent surge in ransomware attacks is targeting Windows system administrators through deceptive online advertisements promoting fake download sites for popular utilities like Putty and WinSCP. These malicious campaigns exploit the higher privileges of system administrators to infiltrate networks, steal data, and deploy ransomware.
WinSCP, an SFTP and FTP client, and Putty, an SSH client, are widely used by administrators managing Windows networks. Given their critical role and elevated access rights, these administrators are prime targets for cybercriminals seeking to spread ransomware rapidly across a network and gain control of domain controllers.
According to a report from Rapid7, cybercriminals have launched a search engine campaign that displays ads for counterfeit Putty and WinSCP sites when users search for “download winscp” or “download putty.” While it’s unclear whether these ads were shown on Google or Bing, the fake sites used typosquatting domains like puutty.org and wnscp.net to deceive users.
These fraudulent sites mimic the legitimate WinSCP site (winscp.net) and an unofficial Putty site (putty.org), leading many users to believe they are legitimate. The actual official site for Putty is hosted at [chiark.greenend.org.uk/~sgtatham/putty](https://www.chiark.greenend.org.uk/~sgtatham/putty/).
The rogue download links on these sites either redirect users to legitimate sites or initiate a download from the attackers’ servers, depending on the referral source. The downloaded ZIP files contain a legitimate executable for Python for Windows (pythonw.exe) renamed as Setup.exe, and a malicious python311.dll file.
When executed, the legitimate pythonw.exe attempts to load a legitimate python311.dll file. However, due to DLL Sideloading, it instead loads the malicious DLL, which extracts and runs an encrypted Python script. This script installs the Sliver post-exploitation toolkit, a tool favored by attackers for gaining initial access to corporate networks.
Rapid7’s investigation revealed that the attackers used Sliver to drop additional payloads, including Cobalt Strike beacons. This allowed them to exfiltrate data and attempt to deploy ransomware encryptors. While Rapid7 did not provide extensive details on the ransomware used, they noted similarities to the BlackCat/ALPHV ransomware campaigns observed by Malwarebytes and Trend Micro.
“In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic and then deploy ransomware, an attempt which was ultimately blocked during execution,” explained Tyler McGraw from Rapid7. “The related techniques, tactics, and procedures (TTP) observed are reminiscent of past BlackCat/ALPHV campaigns.”
The increasing use of search engine advertisements to spread malware has become a significant concern, with threat actors leveraging ads for well-known programs such as Keepass, Notepad++, Grammarly, and more to distribute malicious software. Recently, a threat actor used Google ads to promote a phishing site masquerading as the crypto trading platform Whales Market, aiming to steal cryptocurrency from unsuspecting visitors.
This surge in malvertising highlights the need for increased vigilance and robust security measures among Windows system administrators to protect against such sophisticated cyber threats.