Like PuTTY in Admin's Hands

Description

The LevelBlue Managed Detection and Response team handled incidents related to a malvertising campaign distributing trojanized versions of the PuTTY terminal emulator. The malicious software, masquerading as legitimate PuTTY, was downloaded by privileged users and exhibited behaviors such as Kerberoasting, suspicious PowerShell execution, and persistence via scheduled tasks. The threat actors used sponsored ads on search engines to deliver the malware, which was signed by various entities and utilized multiple domains for distribution. The campaign highlights the importance of following security best practices across all organizational levels and emphasizes the need for robust verification mechanisms in advertising networks to prevent abuse.