Ongoing Malvertising Campaign leads to Ransomware

216.73.216.6

Ongoing Malvertising Campaign leads to Ransomware

· Published 15/05/2024 15:14 · Modified 15/05/2024 15:32

Essential information

Published: 15/05/2024 15:14
Modified: 15/05/2024 15:32
Tags: 2024-05-10 2024-05-15 c2 address cobalt strike dnstwist dropped execution localappdata malware msi package putty python ransomware service sliver sliver beacon winscp
Related entities: 78 observables, 15 techniques (mitre)

Description

Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.

External references

https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/
https://otx.alienvault.com/pulse/6644d146eed1dc7dd5c6f6b2