Don't be fooled by fake ads for this file transfer service - they could lead to malware

News
By published

BlackCat is on the prowl again

malware
(Image credit: Elchinator from Pixabay)

A well-known ransomware group is pushing fake ads to lure people into visiting webpages that spoof the official WinSCP (Windows Secure Copy) site, experts have warned.

BlackCat, also known as ALPHV, has loaded the pages with malware installers that infect the victim when they visit. BleepingComputer claims that the group hopes to target "system administrators, web admins, and IT professionals for initial access to valuable corporate networks."

These users would be most interested in using WinSCP, as the client is open source and allows for SSH file transfer with file management capabilities, allowing for secure transfers between local machines and remote servers. It also can also act as an WebDAV and Amazon S3 client.

The fake ads were spotted on Google and Bing search pages, with Trend Micro, who first spotted the campaign, noting that searches for "WinSCP Download" on these sites leads to the malicious ads being promoted above safe and legitimate results.

read more

> BlackCat ransomware found using malicious Windows kernels

> The BlackCat ransomware gang is now threatening to leak stolen Reddit data

> Second ransomware group reported exploiting GoAnywhere security flaw

The fake websites that the links in these ads lead to have a tutorial on using WinSCP. These sites in themselves are not dangerous, helping them to avoid detection by Google, but they do redirect visitors to a fake version of the WinSCP site with similar domain names, such as winsccp[.]com (the real site is winscp.net).

On these fake sites is a download button, which when clicked, downloads an ISO file containing the malware. This malware sets up a connection with the attacker's command-and-control server, and can lay the ground for further penetration of the target system, such as retrieving Active Directory (AD) information, extracting files and obtaining Veeam credentials. 

It also uses SpyBoy, a known terminator that can disable endpoint protection and antivirus software. BleepingComputer notes that this can go for as much as $3,000 on hacking forums. It can escalate privileges on a system and then disable them.

In addition to BlackCat, Trend Micro also says it also found a Clop ransomware file in one of the attacker's C2 domains, suggesting that they may be linked to multiple ransomware operations. 

Clop caused quite the stir when it managed to successfully attack GoAnywhere and then MoveIT this year, affecting numerous high profile organizations in the process.

Lewis Maddison
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he gained experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.