Ransomware, Malware

Malvertising campaign exploits WinSCP, PuTTy for ransomware

What if we made paying the ransom illegal?

Fraudulent Google ads for the WinSCP and PuTTy utilities have been leveraged to attempt ransomware distribution as part of a malvertising campaign against Windows system administrators, reports BleepingComputer.

Click for more special coverage

Attackers used typosquatted domain names for the fake WinSCP and PuTTy sites, which included links that redirected to legitimate sites and downloaded ZIP archives, which contain a malicious DLL that facilitates the deployment of the Sliver post-exploitation toolkit to deliver Cobalt Strike beacons and other payloads for initial network access, according to a Rapid7 report. Researchers also noted threat actors' attempted data exfiltration and ransomware distribution activities, which were eventually thwarted.

"The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year," said Rapid7 researcher Tyler McGraw.

Such an incident comes amid mounting malvertising campaigns exploiting widely used software, including AnyDesk, VLC, Malwarebytes, MSI Afterburner, 7-Zip, CCleaner, Brave, and Grammarly.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.