Don't be fooled by fake ads for this file transfer service - they could lead to malware

(Image credit: Elchinator from Pixabay )

A well-known ransomware group is pushing fake ads to lure people into visiting webpages that spoof the official WinSCP (Windows Secure Copy) site, experts have warned.

BlackCat, also known as ALPHV, has loaded the pages with malware installers that infect the victim when they visit. BleepingComputer claims that the group hopes to target "system administrators, web admins, and IT professionals for initial access to valuable corporate networks."

These users would be most interested in using WinSCP, as the client is open source and allows for SSH file transfer with file management capabilities, allowing for secure transfers between local machines and remote servers. It also can also act as an WebDAV and Amazon S3 client.

Promoted ads

The fake ads were spotted on Google and Bing search pages, with Trend Micro, who first spotted the campaign, noting that searches for "WinSCP Download" on these sites leads to the malicious ads being promoted above safe and legitimate results.

> BlackCat ransomware found using malicious Windows kernels

> The BlackCat ransomware gang is now threatening to leak stolen Reddit data

> Second ransomware group reported exploiting GoAnywhere security flaw

The fake websites that the links in these ads lead to have a tutorial on using WinSCP. These sites in themselves are not dangerous, helping them to avoid detection by Google, but they do redirect visitors to a fake version of the WinSCP site with similar domain names, such as winsccp[.]com (the real site is winscp.net).

On these fake sites is a download button, which when clicked, downloads an ISO file containing the malware. This malware sets up a connection with the attacker's command-and-control server, and can lay the ground for further penetration of the target system, such as retrieving Active Directory (AD) information, extracting files and obtaining Veeam credentials.

It also uses SpyBoy, a known terminator that can disable endpoint protection and antivirus software. BleepingComputer notes that this can go for as much as $3,000 on hacking forums. It can escalate privileges on a system and then disable them.

In addition to BlackCat, Trend Micro also says it also found a Clop ransomware file in one of the attacker's C2 domains, suggesting that they may be linked to multiple ransomware operations.

Clop caused quite the stir when it managed to successfully attack GoAnywhere and then MoveIT this year, affecting numerous high profile organizations in the process.

Here is the best firewall protection you can get

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers.

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.

Latest

Quordle today - hints and answers for Monday, December 11 (game #686)

See more latest ►

Promoted ads

Are you a pro? Subscribe to our newsletter

Most Popular