Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Malware Attacks via Cloned Webpages

July 4, 2023
Reading Time: 2 mins read
in Alerts
Malware Attacks via Cloned Webpages

 

The BlackCat ransomware-as-a-service group has been discovered developing a threat activity cluster by utilizing selected keywords on legitimate organizations’ webpages to deploy malicious malware.

Researchers from Trend Micro, along with an unnamed organization, uncovered unauthorized activities performed by cybercriminals within the company’s network, involving cloned webpages of WinSCP and SpyBoy.

This technique, known as malvertising, involves hijacking keywords to display malicious ads that lure unsuspecting users into downloading malware. The attackers managed to steal top-level administrator privileges and attempted to establish backdoor access and persistence using remote management tools.

Researchers noted similarities between this campaign and previous ones conducted by BlackCat, including the use of anti-antivirus and anti-endpoint detection tools like SpyBoy to tamper with agent protection.

To exfiltrate the stolen data, the attackers employed the PuTTY Secure Copy client for information transfer. Further investigation into the command and control domains used by the threat actor revealed a potential connection with the Clop ransomware.

The attack chain involved SEO-poisoning techniques to deceive unsuspecting users into downloading a cloned application containing malware. The infection flow included the delivery of an initial loader, fetching the bot core, and ultimately dropping the payload, typically a backdoor. In this case, the WinSCP application contained a backdoor with Cobalt Strike Beacon, enabling operations on a remote server.

In addition to these tools, the researchers identified the use of AdFind by the threat actors, which is designed to retrieve and display information from Active Directory environments. When in the hands of a threat actor, AdFind can be exploited for activities such as user account enumeration, privilege escalation, and password hash extraction.

The malicious actors also employed the AnyDesk remote management tool within the environment to maintain persistence. The discovery of these unauthorized activities highlights the ongoing efforts of cybercriminals to exploit legitimate organizations and underscores the importance of robust cybersecurity measures to mitigate such threats.

Reference:
  • Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator

Tags: BlackCatCyber AlertCyber Alerts 2023July 2023MalwareRansomwareSpyboyTrend MicroWinSCP
ADVERTISEMENT

Related Posts

Chrome Extensions Leak Data And API Keys

Chrome Extensions Leak Data And API Keys

June 6, 2025
Chrome Extensions Leak Data And API Keys

AMOS Stealer Hits macOS Via Fake CAPTCHA

June 6, 2025
Chrome Extensions Leak Data And API Keys

BADBOX Turns 1M+ IoT Devices Into Proxies

June 6, 2025
UNC6040 Vishing Group Target Salesforce Data

UNC6040 Vishing Group Target Salesforce Data

June 5, 2025
New Chaos RAT Variant Hits Windows and Linux

New Chaos RAT Variant Hits Windows and Linux

June 5, 2025
New Chaos RAT Variant Hits Windows and Linux

FBI Warns Hedera NFT Airdrop Crypto Scam

June 5, 2025

Latest Alerts

AMOS Stealer Hits macOS Via Fake CAPTCHA

Chrome Extensions Leak Data And API Keys

BADBOX Turns 1M+ IoT Devices Into Proxies

FBI Warns Hedera NFT Airdrop Crypto Scam

New Chaos RAT Variant Hits Windows and Linux

UNC6040 Vishing Group Target Salesforce Data

Subscribe to our newsletter

    Latest Incidents

    German Dog Rescue IG Hacked For Ransom

    Hack Attempt Hits German Police Phone System

    InfoJobs Spain Hit By Credential Stuffing

    KiranaPro Startup Hacked All Data Wiped

    Nervos Bridge Paused After $3.9 Million Hack

    Ukraine GUR Claims Tupolev Data Theft Hack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial