www.trendmicro.com
Open in
urlscan Pro
23.32.242.31
Public Scan
URL:
https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html
Submission: On July 03 via api from TR — Scanned from DE
Submission: On July 03 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOM<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___YjZ4W">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
</td>
</tr>
</tbody>
</table>
</div>
</form>
Text Content
Business search close * Solutions * By Challenge * By Challenge * By Challenge Learn more * Understand, Prioritize & Mitigate Risks * Understand, Prioritize & Mitigate Risks Improve your risk posture with attack surface management Learn more * Protect Cloud-Native Apps * Protect Cloud-Native Apps Security that enables business outcomes Learn more * Protect Your Hybrid World * Protect Your Hybrid, Multi-Cloud World Gain visibility and meet business needs with security Learn more * Securing Your Borderless Workforce * Securing Your Borderless Workforce Connect with confidence from anywhere, on any device Learn more * Eliminate Network Blind Spots * Eliminate Network Blind Spots Secure users and key operations throughout your environment Learn more * See More. Respond Faster. * See More. Respond Faster. Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities Learn more * Extend Your Team * Extend Your Team. Respond to Threats Agilely Maximize effectiveness with proactive risk reduction and managed services Learn more * By Role * By Role * By Role Learn more * CISO * CISO Drive business value with measurable cybersecurity outcomes Learn more * SOC Manager * SOC Manager See more, act faster Learn more * Infrastructure Manager * Infrastructure Manager Evolve your security to mitigate threats quickly and effectively Learn more * Cloud Builder and Developer * Cloud Builder and Developer Ensure code runs only as intended Learn more * Cloud Security Ops * Cloud Security Ops Gain visibility and control with security designed for cloud environments Learn more * By Industry * By Industry * By Industry Learn more * Healthcare * Healthcare Protect patient data, devices, and networks while meeting regulations Learn more * Manufacturing * Manufacturing Protecting your factory environments – from traditional devices to state-of-the-art infrastructures Learn more * Oil & Gas * Oil & Gas ICS/OT Security for the oil and gas utility industry Learn more * Electric Utility * Electric Utility ICS/OT Security for the electric utility Learn more * Federal * Federal Learn more * Automotive * Automotive Learn more * 5G Networks * 5G Networks Learn more * Platform * Platform * Trend Vision One Our Unified Platform Bridge threat protection and cyber risk management Learn more * Security Operations * Security Operations * Trend Vision One Security Operations Overview A cloud-native security operations platform built to empower security teams Learn more * Attack Surface Management * Attack Surface Management Operationalize a zero trust strategy Learn more * XDR (Extended Detection & Response) * XDR (Extended Detection & Response) Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform Learn more * Threat Intelligence * Threat Intelligence Keep ahead of the latest threats and protect your critical data with ongoing threat prevention and analysis Learn more * Cloud Security * Cloud Security * Trend Cloud One Cloud Security Overview The most trusted cloud security platform for developers, security teams, and businesses Learn more * Workload Security * Workload Security Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities Learn more * Cloud Security Posture Management * Cloud Security Posture Management Leverage complete visibility and rapid remediation Learn more * Container Security * Container Security Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection Learn more * File Storage Security * File Storage Security Security for cloud file/object storage services leveraging cloud-native application architectures Learn more * Endpoint Security * Endpoint Security Defend your endpoints at every stage Learn more * Network Security * Network Security Advanced cloud-native network security detection, protection, and cyber threat disruption for your single and multi-cloud environments. Learn more * Open Source Security * Open Source Security Visibility and monitoring of open source vulnerabilities for SecOps Learn more * Cloud Visibility * Cloud Visibility As your organization continues to move data and apps to the cloud and transform your IT infrastructure, mitigating risk without slowing down the business is critical. Learn more * Network Security * Network Security * Network Security Overview Expand the power of XDR with network detection and response Learn more * Network Intrusion Prevention (IPS) * Network Intrusion Prevention (IPS) Protect against known, unknown, and undisclosed vulnerabilities in your network Learn more * Breach Detection System (BDS) * Breach Detection System (BDS) Detect and respond to targeted attacks moving inbound, outbound, and laterally Learn more * Secure Service Edge (SSE) * Secure Service Edge (SSE) Redefine trust and secure digital transformation with continuous risk assessments Learn more * Industrial Network Security * Industrial Network Security Learn more * Endpoint & Email Security * Endpoint & Email Security * Endpoint & Email Security Overview Protect your users on any device, any application, anywhere with Trend Micro Workforce One Learn more * Endpoint Protection * Endpoint Protection Learn more * Email Security * Email Security Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise Learn more * Mobile Security * Mobile Security On-premises and cloud protection against malware, malicious applications, and other mobile threats Learn more * Industrial Endpoint Security * Industrial Endpoint Security Learn more * Small & Midsized Business Security * Small & Midsized Business Security Stop threats with comprehensive, set-it-and-forget-it protection Learn more * All Products, Services and Trials * All Products, Services and Trials Learn more * Research * Research * Research * Research Learn more * About Our Research * About Our Research Learn more * Research, News, and Perspectives * Research, News, and Perspectives Learn more * Research and Analysis * Research and Analysis Learn more * Blog * Blog Learn more * Security News * Security News Learn more * Zero Day Initiatives (ZDI) * Zero Day Initiatives (ZDI) Learn more * Services * Our Services * Our Services * Our Services Learn more * Service Packages * Service Packages Augment security teams with 24/7/365 managed detection, response, and support Learn more * Managed XDR * Managed XDR Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks Learn more * Support Services * Support Services Learn more * Partners * Channel Partners * Channel Partners * Channel Partner Overview Grow your business and protect your customers with the best-in-class complete, multilayered security Learn more * Managed Service Provider * Managed Service Provider Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs Learn more * Cloud Service Provider * Cloud Service Provider Add market-leading security to your cloud service offerings – no matter which platform you use Learn more * Professional Services * Professional Services Increase revenue with industry-leading security Learn more * Resellers * Resellers Discover the possibilities Learn more * Marketplace * Marketplace Learn more * System Integrators * System Integrators Learn more * Alliance Partners * Alliance Partners * Alliance Overview We work with the best to help you optimize performance and value Learn more * Technology Alliance Partners * Technology Alliance Partners Learn more * Our Alliance Partners * Our Alliance Partners Learn more * Partner Tools * Partner Tools * Partner Tools Learn more * Partner Login * Partner Login Login * Education and Certification * Education and Certification Learn more * Partner Successes * Partner Successes Learn more * Distributors * Distributors Learn more * Find a Partner * Find a Partner Learn more * Company * Why Trend Micro * Why Trend Micro * Why Trend Micro Learn more * The Trend Micro Difference * The Trend Micro Difference Learn more * Customer Success Stories * Customer Success Stories Learn more * The Human Connection * The Human Connection Learn more * Industry Accolades * Industry Accolades Learn more * Strategic Alliances * Strategic Alliances Learn more * About Us * About Us * About Us Learn more * Trust Center * Trust Center Learn more * History * History Learn more * Diversity, Equity and Inclusion * Diversity, Equity and Inclusion Learn more * Corporate Social Responsibility * Corporate Social Responsibility Learn more * Leadership * Leadership Learn more * Security Experts * Security Experts Learn more * Internet Safety and Cybersecurity Education * Internet Safety and Cybersecurity Education Learn more * Legal * Legal Learn more * Investors * Investors Learn more * Connect with Us * Connect with Us * Connect with Us Learn more * Newsroom * Newsroom Learn more * Events * Events Learn more * Careers * Careers Learn more * Webinars * Webinars Learn more Back Back Back Back * Free Trials * Contact Us Looking for home solutions? Under Attack? 0 Back Folio (0) Support * Business Support Portal * Virus and Threat Help * Renewals and Registration * Education and Certification * Contact Support * Find a Support Partner Resources * Cyber Risk Index/Assessment * CISO Resource Center * DevOps Resource Center * What Is? * Threat Encyclopedia * Cloud Health Assessment * Cyber Insurance * Glossary of Terms * Webinars Log In * Support * Partner Portal * Cloud One * Product Activation and Management * Referral Affililate Back arrow_back search close Content has been added to your Folio Go to Folio (0) close Malware MALVERTISING USED AS ENTRY VECTOR FOR BLACKCAT, ACTORS ALSO LEVERAGE SPYBOY TERMINATOR We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents. By: Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso June 30, 2023 Read time: 7 min (1889 words) Save to Folio Subscribe -------------------------------------------------------------------------------- Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware. The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network: * Stole top-level administrator privileges and used these privileges to conduct unauthorized activities * Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk * Attempted to steal passwords and tried to access backup servers It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence. The following chart represents how the infection starts. Figure 1. Infection chain of the observed attack In the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks they carried out, and the lessons that can be drawn from this event. Deep dive into the infection chain The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer. Figure 2. A suspicious site from a malvertisement From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage (hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing service 4shared. Figure 3. Malicious download site The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor. In summary, the malicious actor uses the following malvertising infection chain: 1. A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar. 2. Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website. 3. Once the user selects the “Download” button, this begins the download of an ISO file to their system. On Twitter, user @rerednawyerg first spotted the same infection chain mimicking the AnyDesk application. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files here: * Setup.exe: A renamed msiexec.exe executable * Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons. Figure 4. The files downloaded once a user mounts the ISO Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate python installation in %AppDataLocal%\Python-3.10.10 and another installation in %Public%\Music\python containing a trojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the value C:\Users\Public\Music\python\pythonw.exe. Figure 5. The run key named “Python” When the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt Strike beacon that connects to 167[.]88[.]164[.]141. The following command-and-control (C&C) servers are used to obtain the main beacon module: File name C&C pp.py hxxps://167.88.164.40/python/pp2 work2.py hxxps://172.86.123.127:8443/work2z work2-2.py hxxps://193.42.32.58:8443/work2z work3.py hxxps://172.86.123.226:8443/work3z Multiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute Python scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal module to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in memory. The Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain. Figure 6. Kill chain for the executed malware The threat actor used a few other tools for discovery in the customer's environment. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction. In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format. The threat actor used the following PowerShell command to gather user information and to save it into a CSV file: Get-ADUser -Filter * -Properties * | Select -Property EmailAddress,GivenName,Surname,DisplayName,sAMAccountName,Title,Department,OfficePhone,MobilePhone,Fax,Enabled,LastLogonDate | Export-CSV "C:\users\public\music\ADusers.csv" -NoTypeInformation -Encoding UTF8 We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings. The threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within files by using the command findstr /S /I cpassword \\<REDACTED>\sysvol\<REDACTED>\policies\*.xml. It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD. Figure 7. How finsdtr is used in the attack We also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object Net.Webclient).DownloadString('hxxp://127[.]0[.]0[.]1:40347/'); Invoke-FindLocalAdminAccess -Thread 50" it invokes a PowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This function is likely part of a script that performs actions related to finding local administrator access on a system. Another PowerShell script used by the threat actor was PowerView. PowerView, which belongs to the PowerSploit collection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and enumeration and is commonly used by threat actors to gather information about the AD environment. PowerShell Expand-Archive command was used to extract the ZIP files. powershell -w hidden -command Expand-Archive C:\users\public\videos\python.zip -DestinationPath C:\users\public\videos\python WMI was used to launch CoBeacon remotely across the environment. C:\WINDOWS\system32\cmd.exe /C wmic /NODE:"<REDACTED>" process call create C:\users\public\videos\python\pythonw.exe C:\users\public\videos\python\work2-2.py To obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the marshal module to execute a pseudo-compiled code for LaZagne. Another script to obtain Veeam credentials following the same structure was also identified in the environment. PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment. The threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to disable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections. However, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made attempts to stop Windows Defender through a different KillAV BAT script. Finally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain persistence. Figure 8. Remote management tool installed for persistence After a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their goal or execute their final payload. The incident response team also presented immediate countermeasures as well as medium- and long-term security procedures for implementation. BlackCat uses the same tools, techniques, and procedures (TTPs) In another investigation, following the same TTPs described previously described, we were able to identify that this activity led to a BlackCat (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoy terminator in an attempt to tamper with protection provided by agents. In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file. Figure 9. Files indicating possible Cl0p ransomware file Conclusion and recommendations In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage. By understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise and critical damage but also take necessary measures to prevent them. Organizations can protect themselves by taking the following security measures: * Educate employees about phishing. Conduct training sessions to educate employees about phishing attacks and how to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading files from unknown sources. * Monitor and log activities. Implement a centralized logging system to collect and analyze logs from various network devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or suspicious behavior. * Define normal network traffic for normal operations. Defining normal network traffic will help identify abnormal network traffic, such as unauthorized access. * Improve incident response and communication. Develop an incident response plan to guide your organization's response in case of future breaches. Establish clear communication channels to inform relevant stakeholders, including employees, customers, and regulatory bodies, about a breach and the steps being taken to address it. * Engage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the aftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident response, forensic analysis, and security improvements. Indicators of Compromise (IOCs) The full list of IOCs can be found here. Tags Malware | Endpoints | Research | Web | Articles, News, Reports AUTHORS * Lucas Silva Incident Response Analyst * RonJay Caragay Threats Analyst * Arianne Dela Cruz Threats Analyst * Gabriel Cardoso Threats Analyst Contact Us Subscribe RELATED ARTICLES * Human vs Machine Identity Risk Management * An Overview of the Different Versions of the Trigona Ransomware * How Zero Trust Can Help Your Organization: Strengthening Security and Supply Chain Assurance See all articles Try our services free for 30 days * Start your free trial today * * * * * RESOURCES * Blog * Newsroom * Threat Reports * DevOps Resource Center * CISO Resource Center * Find a Partner SUPPORT * Business Support Portal * Contact Us * Downloads * Free Trials * * ABOUT TREND * About Us * Careers * Locations * Upcoming Events * Trust Center * Select a country / region United States expand_more close THE AMERICAS * United States * Brasil * Canada * México MIDDLE EAST & AFRICA * South Africa * Middle East and North Africa EUROPE * België (Belgium) * Česká Republika * Danmark * Deutschland, Österreich Schweiz * España * France * Ireland * Italia * Nederland * Norge (Norway) * Polska (Poland) * Suomi (Finland) * Sverige (Sweden) * Türkiye (Turkey) * United Kingdom ASIA & PACIFIC * Australia * Центральная Азия (Central Asia) * Hong Kong (English) * 香港 (中文) (Hong Kong) * भारत गणराज्य (India) * Indonesia * 日本 (Japan) * 대한민국 (South Korea) * Malaysia * Монголия (Mongolia) and рузия (Georgia) * New Zealand * Philippines * Singapore * 台灣 (Taiwan) * ประเทศไทย (Thailand) * Việt Nam Privacy | Legal | Accessibility | Site map Copyright ©2023 Trend Micro Incorporated. All rights reserved sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk This website uses cookies for website functionality, traffic analytics, personalization, social media functionality and advertising. Our Cookie Notice provides more information and explains how to amend your cookie settings.Learn more Cookies Settings Accept word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 Sumo