Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Malware Attacks via Cloned Webpages

July 4, 2023
Reading Time: 2 mins read
in Alerts
Malware Attacks via Cloned Webpages

 

The BlackCat ransomware-as-a-service group has been discovered developing a threat activity cluster by utilizing selected keywords on legitimate organizations’ webpages to deploy malicious malware.

Researchers from Trend Micro, along with an unnamed organization, uncovered unauthorized activities performed by cybercriminals within the company’s network, involving cloned webpages of WinSCP and SpyBoy.

This technique, known as malvertising, involves hijacking keywords to display malicious ads that lure unsuspecting users into downloading malware. The attackers managed to steal top-level administrator privileges and attempted to establish backdoor access and persistence using remote management tools.

Researchers noted similarities between this campaign and previous ones conducted by BlackCat, including the use of anti-antivirus and anti-endpoint detection tools like SpyBoy to tamper with agent protection.

To exfiltrate the stolen data, the attackers employed the PuTTY Secure Copy client for information transfer. Further investigation into the command and control domains used by the threat actor revealed a potential connection with the Clop ransomware.

The attack chain involved SEO-poisoning techniques to deceive unsuspecting users into downloading a cloned application containing malware. The infection flow included the delivery of an initial loader, fetching the bot core, and ultimately dropping the payload, typically a backdoor. In this case, the WinSCP application contained a backdoor with Cobalt Strike Beacon, enabling operations on a remote server.

In addition to these tools, the researchers identified the use of AdFind by the threat actors, which is designed to retrieve and display information from Active Directory environments. When in the hands of a threat actor, AdFind can be exploited for activities such as user account enumeration, privilege escalation, and password hash extraction.

The malicious actors also employed the AnyDesk remote management tool within the environment to maintain persistence. The discovery of these unauthorized activities highlights the ongoing efforts of cybercriminals to exploit legitimate organizations and underscores the importance of robust cybersecurity measures to mitigate such threats.

Reference:
  • Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

Tags: BlackCatCyber AlertCyber Alerts 2023July 2023MalwareRansomwareSpyboyTrend MicroWinSCP
ADVERTISEMENT

Related Posts

New Godfather Trojan Hijacks Banking Apps

Winos 4.0 Malware Hits Taiwan Via Tax Phish

June 20, 2025
New Godfather Trojan Hijacks Banking Apps

New Godfather Trojan Hijacks Banking Apps

June 20, 2025
New Godfather Trojan Hijacks Banking Apps

New Amatera Stealer Delivered By ClearFake

June 20, 2025
Fake Invoices Deliver Sorillus RAT In Europe

Fake Minecraft Mods On GitHub Spread Malware

June 19, 2025
Russian Phishing Scam Bypasses Google 2FA

Russian Phishing Scam Bypasses Google 2FA

June 19, 2025
Fake Invoices Deliver Sorillus RAT In Europe

Fake Invoices Deliver Sorillus RAT In Europe

June 19, 2025

Latest Alerts

Winos 4.0 Malware Hits Taiwan Via Tax Phish

New Amatera Stealer Delivered By ClearFake

New Godfather Trojan Hijacks Banking Apps

Fake Minecraft Mods On GitHub Spread Malware

Fake Invoices Deliver Sorillus RAT In Europe

Russian Phishing Scam Bypasses Google 2FA

Subscribe to our newsletter

    Latest Incidents

    Massive Leak Exposes 16 Billion Credentials

    Tonga Health System Down After Ransomware

    Chinese Spies Target Satellite Giant Viasat

    German Dealer Leymann Hacked Closes Stores

    Hacker Mints $27M From Meta Pool Gets 132K

    UBS and Pictet Hit By Vendor Data Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial