Tuesday, November 12, 2024
Homecyber securityIT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

IT Teams Beware! Weaponized WinSCP & PuTTY Delivers Ransomware

Published on

Malware protection

Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL. 

The DLL side-loads a legitimate DLL and injects a Sliver beacon using a reflective DLL injection technique, where the attackers then establish persistence, download additional payloads, attempt to steal data, and deploy ransomware, which shows TTPs similar to those used by BlackCat/ALPHV in the past

Appearance of the cloned WinSCP website.

The ad for PuTTY download redirected users to a typo-squatted domain (putty.org) hosting a malicious download link.

- Advertisement - SIEM as a Service

Clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The attackers also hosted a seemingly legitimate PuTTY help article page on the same domain (putty.org), likely to deflect suspicion.  

Landing page for the malicious ad.

The attacker distributes a malicious archive named “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).

Once executed, setup.exe side-loads a malicious DLL (python311.dll) that further loads a legitimate DLL (python3.dll) to act as a proxy for its malicious functionality. 

It hides the malware’s activity, improves its stability, and then utilizes techniques from the AntiHook and KrakenMask libraries for further evasion, where AntiHook allows the malware to identify and bypass hooks placed by security software, while KrakenMask spoofs return addresses and encrypts memory to avoid detection.  

The extracted contents of putty-0.80-installer.zip.

Malware utilizes the Windows Native API (NTAPI) functions from ntdll.dll to bypass detection of common user mode functions and dynamically resolves functions like EtwEventWrite and EtwEventRegister from ntdll.dll, potentially for anti-malware evasion. 

According to Rapid 7, strings for functions like WldpQueryDynamicCodeTrust and AmsiScanBuffer are found, indicating the malware might be trying to tamper with code trust or bypass AMSI scanning. 

The encrypted resource is loaded into memory and decrypted using AES-256.

It extracts an encrypted resource from python311.dll and decrypts it using an AES-256 key stored in plain text, where the decrypted resource is a zip archive containing a legitimate PuTTY installer and another archive. 

Decrypted and decompressed contents of the resource.

The malware impersonates a PuTTY installer by first copying a genuine MSI file to a public downloads folder, creating a believable installation process, and then extracting malicious files from a hidden ZIP archive and staging them in a concealed location. 

Finally, it executes a Python script (systemd.py) that decrypts and injects a malicious DLL, likely a Sliver beacon, leveraging techniques from publicly available code, presumably establishing a connection to a command and control server, enabling further malicious activity.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Maximizing Agent Productivity And Security With Workforce Management Software In Contact Centers

In the bustling world of customer service, the stakes are perpetually high—every missed call...

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market.Unlike traditional standalone ransomware sales, RaaS...