Discover how BlackCat cybercriminals utilize malvertising techniques and leverage the powerful SpyBoy Terminator tool for malicious activities.

Continue reading
In a recent investigation conducted by the Trend Micro incident response team, a targeted organization fell victim to a sophisticated cyberattack. The threat actors employed malvertising techniques to distribute malware through cloned webpages of legitimate organizations, specifically targeting users searching for the popular WinSCP application. This Threatfeed dives deep into the underlying details of the attack, analyzing the initial access, the malicious activities performed, & the lessons we can learn from this event.
The attack begins when a user searches for the "WinSCP Download" on the Bing search engine. Disguised as an ad, the malvertisers manipulate chosen keywords to display a deceptive advertisement for the WinSCP application above the organic search results. Upon clicking the "Download" button, the user unwittingly initiates the download of an ISO file from an infected WordPress webpage. The payload's URL has recently been changed to a file-sharing service called 4shared, adding another layer of complexity to the attack.
Once the ISO file is mounted, two files, namely `setup.exe` and `msi.dll`, are extracted. `setup.exe` is, in fact, a renamed version of `msiexec.exe` executable. On the other hand, `msi.dll` acts as a dropper for both the legitimate WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons. These files play a crucial role in the subsequent stages of the attack.
The threat actors meticulously orchestrate a series of actions to infiltrate the target organization's network and escalate their privileges. Let's explore the key techniques they employ:
Had the intervention been delayed, the enterprise would have undoubtedly suffered severe consequences. The threat actors had already obtained domain administrator privileges and established backdoors and persistence within the network.
The attackers skillfully leverage various tools and techniques to achieve their malicious objectives. Here are the key elements used in this cyber assault:
The threat actors employ AdFind, a tool primarily designed for retrieving and displaying information from Active Directory environments. By misusing this tool, the attackers perform enumeration of user accounts, privilege escalation, and even password hash extraction.
PowerShell commands are an integral part of the attacker's arsenal. The threat actors utilize PowerShell to gather user information and save it in a CSV file, as well as execute scripts for various purposes.
The command-line tool findstr, typically used for searching strings or regular expressions within files, is employed by the attackers to identify XML files containing the string "cpassword." This is significant from a security perspective, as "cpassword" is associated with a deprecated method of storing passwords in Group Policy Preferences within Active Directory.
PowerView, belonging to the PowerSploit collection, serves as a reconnaissance and exploitation tool the attackers use. It enables them to gather information about the domain, identify misconfigurations, and exploit vulnerabilities.
Cobalt Strike, a commercially available penetration testing tool, plays a central role in this attack. The attackers utilize Cobalt Strike beacons to establish command-and-control (C2) communication with the compromised systems, enabling them to control and monitor the network remotely.
AnyDesk, a legitimate remote desktop software, is misused by the threat actors to gain persistent access to the compromised environment. They deploy AnyDesk to establish backdoor access, enabling them to control the compromised systems even after the initial intrusion.
Mimikatz, a well-known post-exploitation tool, is used to extract plaintext passwords and perform pass-the-hash attacks. The attackers employ Mimikatz to steal credentials, further escalating their privileges and expanding their control over the compromised network.
The malvertising attack chain discussed in this article sheds light on several important lessons for organizations and users:

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.