Don't be fooled by fake ads for this file transfer service - they could lead to malware
BlackCat is on the prowl again

A well-known ransomware group is pushing fake ads to lure people into visiting webpages that spoof the official WinSCP (Windows Secure Copy) site, experts have warned.
BlackCat, also known as ALPHV, has loaded the pages with malware installers that infect the victim when they visit. BleepingComputer claims that the group hopes to target "system administrators, web admins, and IT professionals for initial access to valuable corporate networks."
These users would be most interested in using WinSCP, as the client is open source and allows for SSH file transfer with file management capabilities, allowing for secure transfers between local machines and remote servers. It also can also act as an WebDAV and Amazon S3 client.
Promoted ads
The fake ads were spotted on Google and Bing search pages, with Trend Micro, who first spotted the campaign, noting that searches for "WinSCP Download" on these sites leads to the malicious ads being promoted above safe and legitimate results.
The fake websites that the links in these ads lead to have a tutorial on using WinSCP. These sites in themselves are not dangerous, helping them to avoid detection by Google, but they do redirect visitors to a fake version of the WinSCP site with similar domain names, such as winsccp[.]com (the real site is winscp.net).
On these fake sites is a download button, which when clicked, downloads an ISO file containing the malware. This malware sets up a connection with the attacker's command-and-control server, and can lay the ground for further penetration of the target system, such as retrieving Active Directory (AD) information, extracting files and obtaining Veeam credentials.
It also uses SpyBoy, a known terminator that can disable endpoint protection and antivirus software. BleepingComputer notes that this can go for as much as $3,000 on hacking forums. It can escalate privileges on a system and then disable them.
In addition to BlackCat, Trend Micro also says it also found a Clop ransomware file in one of the attacker's C2 domains, suggesting that they may be linked to multiple ransomware operations.
Clop caused quite the stir when it managed to successfully attack GoAnywhere and then MoveIT this year, affecting numerous high profile organizations in the process.
- Here is the best firewall protection you can get
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers.
His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.
He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.
Most Popular
By Mike Moore