{ "name": "Ongoing Malvertising Campaign leads to Ransomware", "slug": "ongoing-malvertising-campaign-leads-to-ransomware", "description": "Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.", "published": "2024-05-15T13:14:13+00:00", "created_at": "2024-05-15T13:14:13+00:00", "modified_at": "2024-05-15T13:32:05+00:00", "created_at_opencti": "2024-05-15T13:14:13+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-05-10", "2024-05-15", "c2 address", "cobalt strike", "dnstwist", "dropped", "execution", "localappdata", "malware", "msi package", "putty", "python", "ransomware", "service", "sliver", "sliver beacon", "winscp" ], "related_entities": { "observables": [ { "id": "", "name": "94.156.67.83" }, { "id": "", "name": "94.156.67.188" }, { "id": "", "name": "94.156.67.185" }, { "id": "", "name": "91.92.255.77" }, { "id": "", "name": "91.92.255.71" }, { "id": "", "name": "91.92.253.80" }, { "id": "", "name": "91.92.252.238" }, { "id": "", "name": "91.92.249.155" }, { "id": "", "name": "91.92.249.106" }, { "id": "", "name": "91.92.244.41" }, { "id": "", "name": "91.92.242.183" }, { "id": "", "name": "185.82.219.92" }, { "id": "", "name": "94.156.65.115" }, { "id": "", "name": "94.156.65.98" }, { "id": "", "name": "vvinscp.net" }, { "id": "", "name": "winnscp.net" }, { "id": "", "name": "putyy.org" }, { "id": "", "name": "wnscp.net" }, { "id": "", "name": "puutty.org" }, { "id": "", "name": "puttyy.org" }, { "id": "", "name": "puttty.org" }, { "id": "", "name": "mkt.geostrategy-ec.com" }, { "id": "", "name": "fkm-system.com" }, { "id": "", "name": "areauni.com" }, { "id": "", "name": "f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861" }, { "id": "", "name": "f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad" }, { "id": "", "name": "f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999" }, { "id": "", "name": "f18367d88f19c555f19e3a40b17de66d4a6f761684a5ef4cdd3d9931a6655490" }, { "id": "", "name": "ed501e49b9418fcfaf56a2eff7adcf85a648bdee2c42bb09db8c11f024667bfa" }, { "id": "", "name": "d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89" }, { "id": "", "name": "df0213e4b784a7e7e3b4c799862db6ea60e34d8e22eb5e72a980a8c2e9b36177" }, { "id": "", "name": "d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a" }, { "id": "", "name": "d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90" }, { "id": "", "name": "cf82366e319b6736a7ee94cca827790e9fdedface98601f0499abee61f613d5d" }, { "id": "", "name": "cd7d59105b0d0b947923dd9ed371b9cfc2c2aa98f29b2afbdcd3392ad26bde94" }, { "id": "", "name": "c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a" }, { "id": "", "name": "ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e" }, { "id": "", "name": "c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10" }, { "id": "", "name": "c33975aa4ab4cdf015422608962bd04c893f27bd270cf3f30958981541cdfead" }, { "id": "", "name": "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" }, { "id": "", "name": "bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75" }, { "id": "", "name": "bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575" }, { "id": "", "name": "a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2" }, { "id": "", "name": "a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c" }, { "id": "", "name": "9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9" }, { "id": "", "name": "9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb" }, { "id": "", "name": "989a8e6a01aa20e298b1ffae83b50cef3e08f6b64a8f022288dc8d5729301674" }, { "id": "", "name": "972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57" }, { "id": "", "name": "96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679" }, { "id": "", "name": "8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1" }, { "id": "", "name": "8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324" }, { "id": "", "name": "8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb" }, { "id": "", "name": "8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7" }, { "id": "", "name": "8827b6fa639afe037bb2c3f092ccb12d49b642ce5cec496706651ebcb23d5b9e" }, { "id": "", "name": "7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d" }, { "id": "", "name": "868cd4974e1f3ac7ef843da8040536cb04f96a2c5779265a69df58e87dc03029" }, { "id": "", "name": "725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa" }, { "id": "", "name": "69583c4a9bf96e0edafcf1ac4362c51d6ff71bba0f568625ae65a1e378f15c65" }, { "id": "", "name": "61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea" }, { "id": "", "name": "51d898de0c300cae7a57c806d652809d19beb3e52422a7d8e4cb1539a1e2485d" }, { "id": "", "name": "51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64" }, { "id": "", "name": "500574522dbcde5e6c89803c3dca7f857f73e0868fd7f8d2f437f3cc31ce9e8d" }, { "id": "", "name": "4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36" }, { "id": "", "name": "47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032" }, { "id": "", "name": "35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa" }, { "id": "", "name": "33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04" }, { "id": "", "name": "2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc" }, { "id": "", "name": "28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322" }, { "id": "", "name": "242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab" }, { "id": "", "name": "17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a" }, { "id": "", "name": "169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427" }, { "id": "", "name": "1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d" }, { "id": "", "name": "13b2e749eb1e45ce999427a12bb78cbebc87c415685315c77cdfb7f64cb9aab0" }, { "id": "", "name": "12afbec79948007e87fdf9e311736160797f245857a45c040966e8e029ca97b3" }, { "id": "", "name": "0aa248300a9f6c498f5305ae3cb871e9ec78ae62e6d51c05c4d6dd069622f442" }, { "id": "", "name": "03d18441c04f12270aab3e55f68284dcd84721d1e56b32f8d8b732a52a654d2d" }, { "id": "", "name": "02d8e4e5f74d38c8e1c9ad893e0cec1cc19aa08a43ecc87ac043fa825382a583" }, { "id": "", "name": "02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8" } ], "attack_patterns": [ { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "7911f1c3-e86b-4e33-afea-9a054b0295dc", "name": "T1222" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40", "name": "T1574" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "4cb4ee3b-b78f-45cf-bcaa-45a2aa968e56", "name": "T1570" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ] }, "external_refs": [ "https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/", "https://otx.alienvault.com/pulse/6644d146eed1dc7dd5c6f6b2" ] }