In March 2024, bad actors launched a campaign distributing trojanized installers for WinSCP and PuTTY. This was following a situation in which clicking malicious ads, post searching for said software, brought about downloads containing a renamed pythonw.exe, loading a malicious DLL.
Said DLL side-loads a valid DLL and injects a Sliver beacon through a reflective DLL injection technique. Through this, attackers establish persistence, download additional payloads, try to steal data, and deploy ransomware, showing tactics akin to BlackCat/ALPHV’s past actions.
An ad for PuTTY download took users to a typo-squatted domain (putty.org), hosting a malicious download link. Clicking this link triggered a chain of redirects, finally downloading a malware-laden ZIP archive masquerading as a PuTTY installer (putty-0.80-installer.zip) from a compromised WordPress domain (areauni.com).
In addition, attackers hosted a PuTTY help article page on the domain (putty.org), aiming to deflect suspicion. The attacker distributes a malicious archive dubbed “putty-0.80-installer.zip” containing a renamed copy of pythonw.exe (setup.exe).
Upon execution, setup.exe side-loads a malicious DLL (python311.dll), which in turn loads a valid DLL (python3.dll) to proxy its malicious functionality. This masks the malware’s activity, enhances its stability, and employs techniques from AntiHook and KrakenMask libraries for further evasion.
