Also observed is the use of the Terminator defense evasion tool to tamper with security software by means of a Bring Your Own Vulnerable Driver ( BYOVD) attack. The access afforded by Cobalt Strike is further abused to download a number of programs to conduct reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY Secure Copy client). The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery. It typically involves hijacking a chosen set of keywords (e.g., "WinSCP Download") to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |