A well-known ransomware group is pushing fake ads to lure people into visiting webpages that spoof the official WinSCP (Windows Secure Copy) site, experts have warned.

BlackCat, also known as ALPHV, has loaded the pages with malware installers that infect the victim when they visit. BleepingComputer claims that the group hopes to target “system administrators, web admins, and IT professionals for initial access to valuable corporate networks.”

These users would be most interested in using WinSCP, as the client is open source and allows for SSH file transfer with file management capabilities, allowing for secure transfers between local machines and remote servers. It also can also act as an WebDAV and Amazon S3 client.

The fake ads were spotted on Google and Bing search pages, with Trend Micro, who first spotted the campaign, noting that searches for “WinSCP Download” on these sites leads to the malicious ads being promoted above safe and legitimate results.

The fake websites that the links in these ads lead to have a tutorial on using WinSCP. These sites in themselves are not dangerous, helping them to avoid detection by Google, but they do redirect visitors to a fake version of the WinSCP site with similar domain names, such as winsccp[.]com (the real site is winscp.net).

On these fake sites is a download button, which when clicked, downloads an ISO file containing the malware. This malware sets up a connection with the attacker’s command-and-control server, and can lay the ground for further penetration of the target system, such as retrieving Active Directory (AD) information, extracting files and obtaining Veeam credentials. 

It also uses SpyBoy, a known terminator that can disable endpoint protection and antivirus software. BleepingComputer notes that this can go for as much as $3,000 on hacking forums. It can escalate privileges on a system and then disable them.

In addition to BlackCat, Trend Micro also says it also found a Clop ransomware file in one of the attacker’s C2 domains, suggesting that they may be linked to multiple ransomware operations. 

Clop caused quite the stir when it managed to successfully attack GoAnywhere and then MoveIT this year, affecting numerous high profile organizations in the process.

Go to Source

Follow us on FacebookTwitter and InstagramWe are growing. Join our 6,000+ followers and us.

At TechRookies.com will strive to help turn Tech Rookies into Pros!

Want more articles click Here!

Deals on Homepage!

M1 Finance is a highly recommended brokerage start investing today here!

WeBull. LIMITED TIME OFFER: Get 3 free stocks valued up to $6300 by opening & funding a #Webull brokerage account! “>Get started >Thanks for visiting!

Subscribe to our newsletters. Here! On the homepage

Tech Rookies Music Here!

Disclaimer: I get commissions for purchases made through links in this post at no charge to you and thanks for supporting Tech Rookies.

Disclosure: Links contain affiliates. When you buy through one of our links we will receive a commission. This is at no cost to you. Thank you for supporting Teachrookies.com

Disclaimer: This article is for information purposes and should not be considered professional investment advice. It contains some forward-looking statements that should not be taken as indicators of future performance. Every investor has a different risk profile and goals. All investments have risks. Always do your own research or hire an expert before investing and trading.