Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label fake ads. Show all posts
Window Admin
Cyber Security fake ads Fraudulent Sites Ransomware attack Typosquatting Window Admin

Windows System Admins Targeted by Hackers Via Fraudulent PuTTy, WinSCP Ads

 

A ransomware attack targets Windows system administrators by using Google advertisements to promote fraudulent download sites for Putty and WinSCP. WinSCP and Putty are popular Windows applications; WinSCP is an SFTP and FTP client, while Putty is an SSH client. 

System administrators typically have more rights on a Windows network, making them prime targets for threat actors looking to quickly propagate over a network, steal data, and get access to a network's domain controller to deliver ransomware. 

According to a recent Rapid7 report, a search engine campaign featured adverts for fake Putty and WinSCP websites when users searched for download winscp or download putty. It's unclear whether this promotion took place on Google or Bing. 

These advertisements employed typosquatting domain names such as puutty.org, puutty[.]org, wnscp[.]net, and vvinscp[.]net. While these sites impersonated the official WinSCP site (winscp.net), the threat actors impersonated an unaffiliated PuTTY site (putty.org), which many people assume is the real one. PuTTY's official website is at https://www.chiark.greenend.org.uk/~sgtatham/putty/. 

These sites include download links that, when clicked, may either redirect you to legitimate websites or download a ZIP archive from the threat actor's servers, depending on whether you were sent by a search engine or another site in the campaign. 

The downloaded ZIP packages contain two executables: Setup.exe, a renamed and legitimate Python for Windows executable (pythonw.exe), and python311.dll, a malicious program.

When the pythonw.exe programme is run, it will try to launch a valid python311.dll file. However, the threat actors changed this DLL with a malicious version loaded via DLL Sideloading. 

When a user launches Setup.exe, expecting to install PuTTY or WinSCP, it loads the malicious DLL, which extracts and implements an encrypted Python script. 

This script will eventually install the Sliver post-exploitation toolkit, which is a popular tool for gaining access to corporate networks. Rapid7 claims the threat actor utilised Sliver to remotely deploy other payloads, including Cobalt Strike beacons. The hacker utilised this access to steal data and try to install a ransomware encryptor. 

While Rapid7 provided little specifics about the ransomware, the researchers say it is comparable to campaigns detected by Malwarebytes and Trend Micro, which used the now-defunct BlackCat/ALPHV ransomware. 

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," stated Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year.”
Read more »
malware
Brave Browser fake ads Google malware

Google Took Down Luring Ads Posing as Brave Browser

 

Malicious advertising has attracted internet visitors to the bogus Brave website. The fraudulent website delivered an ArechClient (SectopRAT) malware variant of the Brave browser. Google put an end to the scam by removing the fraudulent advertisement. 

Website surfers who tried to install a copy of the Brave browser had a smartly camouflaged advertisement that sent the visitors to a dangerous website, wherein they implanted malware on their computers. 

This rogue website was placed on brav.com, wherein Brave is spelled in place of the standard Latin alphabet with a little Lithuanian capital (with a dot at the top). Brave's Web browser is free and open-source, created by Chromium-based Brave Software, Inc. 

Brave, indeed is a confidentiality-focused browser, which is distinguished for eliminating online ads and website tracking in its default settings. An ISO file claiming to carry the Brave installer was downloaded by users who visited the site, engineered to resemble the authentic Brave portal. 

In contrast to the Brave browser installation, an ArechClient malware variant (SecctopRAT) of the ISO file was downloaded, security researcher Bart Blaze told The Record after scanning the malicious file. The malware's key characteristic is to rob data from browsers and cryptocurrencies, Blaze claimed. 

It also contains many anti-VM and anti-emulator scanning functions to stop the identification of malicious capabilities for investigators and security solutions. 

It is advisable to change web account passwords and transfer cryptocurrency assets to new addresses for anybody who inadvertently downloaded this spyware. Nevertheless, Google has claimed that the fraudulent ad had been deleted. 

Such kinds of attacks are referred to as IDN homographic attacks which take place whenever threat actors record domains that are internationally similar to the Latin alphabet. 

Attacks, similar to that of against Brave, are being conducted over a decade since internationalized glyphs have been permitted for domain name use, and by Punycode, browsers have reacted to those non-standard characters. 

For instance, if the page is loaded within a modern browser, the fraudulent domain brav.com equals xn-brav-epa.com, but visitors would most probably download the malicious payload if the address bars are not paid attention to. 
Read more »
Subscribe to: Posts (Atom)