BlackCat Ransomware Operators Utilize Malvertising Tactics
Cybersecurity experts have recently detected a surge in ransomware activity associated with BlackCat ransomware operators. The group is utilizing a new modus operandi involving malvertising, a strategy that uses online advertising to spread malware. This approach typically involves hijacking a chosen set of keywords to display counterfeit ads on Bing and Google search results pages, with the goal of redirecting unsuspecting users to harmful pages.
The cybercriminals are distributing rogue installers of the WinSCP file transfer application through the creation of cloned webpages of legitimate organizations. The idea is to trick users searching for applications like WinSCP into downloading malware, specifically a backdoor containing a Cobalt Strike Beacon that connects to a remote server for follow-on operations. The attackers also use legitimate tools like AdFind to facilitate network discovery.
Once the backdoor is established, the access is further exploited to download various programs for reconnaissance, enumeration (like PowerView), lateral movement (such as PsExec), bypassing antivirus software (KillAV BAT), and exfiltrating customer data (PuTTY Secure Copy client). The use of the Terminator defense evasion tool has also been observed to tamper with security software via a Bring Your Own Vulnerable Driver (BYOVD) attack.
In the specific attack chain detailed by cybersecurity company Trend Micro, the threat actors managed to steal top-level administrator privileges to conduct post-exploitation activities. They also attempted to set up persistence using remote monitoring and management tools like AnyDesk and access backup servers. If the intervention had been sought later, the enterprise would have likely been substantially affected, particularly given that the threat actors had already obtained initial access to domain administrator privileges and started establishing backdoors and persistence.
This strategy is not a novel development in the world of cybercrime. Google Ads platform has been leveraged in the past by threat actors to serve malware. In November 2022, Microsoft disclosed an attack campaign that deployed BATLOADER via the advertising service, which was then used to drop Royal ransomware.
In other ransomware news, Czech cybersecurity company Avast released a free decryptor for the fledgling Akira ransomware to help victims recover their data without having to pay the operators. This ransomware, which first appeared in March 2023, has similarities with the Conti v2 ransomware, hinting at the possibility that the malware authors might have been inspired by the leaked Conti sources. The ransomware has expanded its target footprint to include Linux systems.
The Conti/TrickBot syndicate, also known as Gold Ulrick or ITG23, continues to exist despite suffering a series of disruptive events following the Russian invasion of Ukraine in May 2022. The e-crime group, now consisting of smaller entities, uses shared crypters and infrastructure to distribute their wares. IBM Security X-Force has recently noted that these crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are being used to disseminate new malware strains.
The cybercrime ecosystem is dynamic in nature, with cyber actors continuously appearing, disappearing, and sometimes partnering together, shutting down, or rebranding their financially motivated schemes. Despite these changes, ransomware remains a constant threat. This includes the emergence of a new ransomware-as-a-service (RaaS) group called Rhysida, which primarily targets education, government, manufacturing, and technology sectors across Western Europe, North and South America, and Australia. Rhysida, in its early stages of development, is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MinGW/GCC.
