An in-depth analysis of a new malvertising campaign unveils a sophisticated loader crafted in the Go language, designed to deploy the insidious Rhadamanthys stealer. Injecting itself into a fake PuTTY ad, the adversarial endeavor targets system administrators, posing as the legitimate PuTTY homepage in Google search results. The atypical ad snippet reveals an unassociated domain, arnaudpairoto[.]com, signaling the deceptive nature of the ad.
Furthermore, the URL leads to an attacker-controlled domain, redirecting genuine victims to a convincing fake PuTTY site, diverging only at the download link. This intricate scheme downplays security checks by offering a seemingly legitimate page to screenings and scanners, while redirecting real victims, particularly from the US, to a malicious site resembling putty.org.
The deployment of the malicious payload follows a two-step redirection chain culminating in the download of PuTTy.exe, purportedly a Go language dropper version 1.21.0 subtly named “Dropper 1.3”. This intricate process involves the astrosphere[.]world server which executes checks for proxies and logs victims’ IP addresses, subsequently vetting these addresses before allowing the download of a secondary payload.
The execution of PuTTy.exe initiates an IP check which is speculated to filter users who accessed the malicious ad and downloaded the malware from the counterfeit site. Upon the identification of a match, a follow-up payload retrieval is triggered from another server (192.121.16[.]228:22) utilizing SSHv2 protocol via OpenSSH on an Ubuntu server to insidiously initiate the download of Rhadamanthys.
The synergy of malvertising and this loader signifies a profound threat to systems, pointing to potential alignment with threat actors controlling the malvertising infrastructure. Efforts to combat this threat have been reported to Google, with Malwarebytes and ThreatDown providing protection by detecting the fake PuTTY installer as Trojan.Script.GO. Users equipped with DNS Filtering through ThreatDown can effectively enable ad blocking within their consoles to thwart attacks stemming from malicious ads, underscoring the critical need for proactive defense against such insidious tactics.
