Today > vulnerabilities   -   You can now download lists of IOCs here!

Ongoing Malvertising Campaign leads to Ransomware

May 15, 2024, 3:32 p.m.

Description

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.

Date

Published: May 15, 2024, 3:14 p.m.

Created: May 15, 2024, 3:14 p.m.

Modified: May 15, 2024, 3:32 p.m.

Indicators

f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861

f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad

f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999

f18367d88f19c555f19e3a40b17de66d4a6f761684a5ef4cdd3d9931a6655490

ed501e49b9418fcfaf56a2eff7adcf85a648bdee2c42bb09db8c11f024667bfa

d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89

df0213e4b784a7e7e3b4c799862db6ea60e34d8e22eb5e72a980a8c2e9b36177

d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a

d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90

cf82366e319b6736a7ee94cca827790e9fdedface98601f0499abee61f613d5d

cd7d59105b0d0b947923dd9ed371b9cfc2c2aa98f29b2afbdcd3392ad26bde94

c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a

ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e

c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10

c33975aa4ab4cdf015422608962bd04c893f27bd270cf3f30958981541cdfead

bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c

bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75

bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575

a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2

a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c

9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9

9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb

989a8e6a01aa20e298b1ffae83b50cef3e08f6b64a8f022288dc8d5729301674

972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57

96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679

8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1

8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324

8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb

8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7

8827b6fa639afe037bb2c3f092ccb12d49b642ce5cec496706651ebcb23d5b9e

7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d

868cd4974e1f3ac7ef843da8040536cb04f96a2c5779265a69df58e87dc03029

725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa

69583c4a9bf96e0edafcf1ac4362c51d6ff71bba0f568625ae65a1e378f15c65

61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea

51d898de0c300cae7a57c806d652809d19beb3e52422a7d8e4cb1539a1e2485d

51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64

500574522dbcde5e6c89803c3dca7f857f73e0868fd7f8d2f437f3cc31ce9e8d

4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36

47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032

35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa

33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04

2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc

28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322

242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab

17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a

169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427

1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d

13b2e749eb1e45ce999427a12bb78cbebc87c415685315c77cdfb7f64cb9aab0

12afbec79948007e87fdf9e311736160797f245857a45c040966e8e029ca97b3

0aa248300a9f6c498f5305ae3cb871e9ec78ae62e6d51c05c4d6dd069622f442

03d18441c04f12270aab3e55f68284dcd84721d1e56b32f8d8b732a52a654d2d

02d8e4e5f74d38c8e1c9ad893e0cec1cc19aa08a43ecc87ac043fa825382a583

02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8

94.156.67.83

94.156.67.188

94.156.67.185

91.92.255.77

91.92.255.71

91.92.253.80

91.92.252.238

91.92.249.155

91.92.249.106

91.92.244.41

91.92.242.183

185.82.219.92

94.156.65.115

94.156.65.98

vvinscp.net

winnscp.net

putyy.org

wnscp.net

puutty.org

puttyy.org

puttty.org

mkt.geostrategy-ec.com

fkm-system.com

areauni.com

Attack Patterns

T1583

T1567

T1222

T1189

T1486

T1574

T1106

T1570

T1543

T1055

T1204

T1140

T1027

T1053

T1059