BlackCat Uses Malvertising to Push Backdoor

The BlackCat ransomware-as-a-service group is developing a threat activity cluster using chosen keywords on webpages of legitimate organizations to deploy malicious malware.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

An unnamed organization along with Trend Micro researchers discovered cybercriminals performing unauthorized activities within the company’s network using a cloned webpage of WinSCP, an open-source Windows application for file transfer; and SpyBoy, a terminator that tampers with protection provided by agents.

“Malware distributors abuse the same functionality in a technique known as malvertising – hijacking keywords to display malicious ads that lure unsuspecting search engine users into downloading malware,” according to the Trend Micro report.

Attackers stole top-level administrator privileges and also attempted to establish persistence and backdoor access to the customer environment using remote management tools..

Researchers observed similarities in the tactics used in this campaign with the previous campaigns conducted by BlackCat.

“Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response SpyBoy terminator in an attempt to tamper with protection provided by agents,” researchers said.

To exfiltrate the data, the attackers used the PuTTY Secure Copy client to transfer the information. Further investigation of the command and control domains used by the threat actor led to the discovery of a possible relation with Clop ransomware.

Attack Chain

Using SEO-poisoning techniques, unsuspecting users are tricked into downloading a cloned application containing a malware..

“The overall infection flow involves delivering the initial loader, fetching the bot core and ultimately dropping the payload, typically a backdoor,” researchers said.

The WinSCP application in this case contained a backdoor containing Cobalt Strike Beacon, which allows a remote server for followup operations.

Researchers also spotted threat actors using a few other tools such as AdFind, which is designed to retrieve and display information from Active Directory environments.

“In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation and even password hash extraction,” researchers said. The malicious actors also used AnyDesk remote management tool in the environment to maintain persistence.