Ongoing Malvertising Campaign leads to Ransomware

May 15, 2024, 3:32 p.m.

Description

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.

External References

https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/
https://otx.alienvault.com/pulse/6644d146eed1dc7dd5c6f6b2
Tags
malware
ransomware
python
cobalt strike
2024-05-15
2024-05-10
msi package
winscp
sliver
putty
service
execution
localappdata
dropped
c2 address
sliver beacon
dnstwist

Date

  • Created: May 15, 2024, 3:14 p.m.
  • Published: May 15, 2024, 3:14 p.m.
  • Modified: May 15, 2024, 3:32 p.m.

Indicators

  • f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861
  • f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad
  • f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999
  • f18367d88f19c555f19e3a40b17de66d4a6f761684a5ef4cdd3d9931a6655490
  • ed501e49b9418fcfaf56a2eff7adcf85a648bdee2c42bb09db8c11f024667bfa
  • d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89
  • df0213e4b784a7e7e3b4c799862db6ea60e34d8e22eb5e72a980a8c2e9b36177
  • d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a
  • d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90
  • cf82366e319b6736a7ee94cca827790e9fdedface98601f0499abee61f613d5d
  • cd7d59105b0d0b947923dd9ed371b9cfc2c2aa98f29b2afbdcd3392ad26bde94
  • c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a
  • ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e
  • c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10
  • c33975aa4ab4cdf015422608962bd04c893f27bd270cf3f30958981541cdfead
  • bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c
  • bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75
  • bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575
  • a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2
  • a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c
  • 9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9
  • 9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb
  • 989a8e6a01aa20e298b1ffae83b50cef3e08f6b64a8f022288dc8d5729301674
  • 972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57
  • 96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679
  • 8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1
  • 8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324
  • 8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb
  • 8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7
  • 8827b6fa639afe037bb2c3f092ccb12d49b642ce5cec496706651ebcb23d5b9e
  • 7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d
  • 868cd4974e1f3ac7ef843da8040536cb04f96a2c5779265a69df58e87dc03029
  • 725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa
  • 69583c4a9bf96e0edafcf1ac4362c51d6ff71bba0f568625ae65a1e378f15c65
  • 61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea
  • 51d898de0c300cae7a57c806d652809d19beb3e52422a7d8e4cb1539a1e2485d
  • 51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64
  • 500574522dbcde5e6c89803c3dca7f857f73e0868fd7f8d2f437f3cc31ce9e8d
  • 4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36
  • 47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032
  • 35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa
  • 33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04
  • 2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc
  • 28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322
  • 242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab
  • 17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a
  • 169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427
  • 1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d
  • 13b2e749eb1e45ce999427a12bb78cbebc87c415685315c77cdfb7f64cb9aab0
  • 12afbec79948007e87fdf9e311736160797f245857a45c040966e8e029ca97b3
  • 0aa248300a9f6c498f5305ae3cb871e9ec78ae62e6d51c05c4d6dd069622f442
  • 03d18441c04f12270aab3e55f68284dcd84721d1e56b32f8d8b732a52a654d2d
  • 02d8e4e5f74d38c8e1c9ad893e0cec1cc19aa08a43ecc87ac043fa825382a583
  • 02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8
  • 94.156.67.83
  • 94.156.67.188
  • 94.156.67.185
  • 91.92.255.77
  • 91.92.255.71
  • 91.92.253.80
  • 91.92.252.238
  • 91.92.249.155
  • 91.92.249.106
  • 91.92.244.41
  • 91.92.242.183
  • 185.82.219.92
  • 94.156.65.115
  • 94.156.65.98
  • vvinscp.net
  • winnscp.net
  • putyy.org
  • wnscp.net
  • puutty.org
  • puttyy.org
  • puttty.org
  • mkt.geostrategy-ec.com
  • fkm-system.com
  • areauni.com
Download all indicators here!

Attack Patterns

  • T1583
  • T1567
  • T1222
  • T1189
  • T1486
  • T1574
  • T1106
  • T1570
  • T1543
  • T1055
  • T1204
  • T1140
  • T1027
  • T1053
  • T1059