Be careful where you click in Google search results - it could be damaging malware

News
By published

Hackers are back to SEO poisoning and software spoofing

Global Warning. Alert Sign On World Map
(Image credit: Shutterstock)
  • Arctic Wolf spotted SEO-optimized fake download pages
  • The sites spoofed PuTTY and WinSCP
  • Experts warn IT teams to be careful when downloading software

Experts have uncovered a malicious campaign using SEO-optimized fake landing pages to deploy a malware loader called Oyster.

Cybersecurity researchers Arctic Wolf found threat actors have created numerous landing pages that impersonate PuTTY and WinSCP, two popular Windows tools used to connect securely to remote servers.

These pages are seemingly identical to their legitimate counterparts, and when people search on Google for these tools (mostly IT, cybersecurity, and web development professionals), they could be tricked into opening the wrong website. Since nothing on the sites would raise their suspicion, they might download the tool - which would work as intended, but it would also deliver Oyster, a known malware loader that is also sometimes called Broomstick, or CleanUpLoader.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

Other software abused, too

"Upon execution, a backdoor known as Oyster/Broomstick is installed," Arctic Wolf explained. "Persistence is established by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export, indicating the use of DLL registration as part of the persistence mechanism."

Oyster is a stealthy malware loader used to deliver additional malicious payloads onto infected Windows systems, often as part of multi-stage attacks. It uses techniques like process injection, string obfuscation, and command-and-control via HTTPS to evade detection and maintain persistence.

These are some of the fake websites used in the attacks:

updaterputty[.]com
zephyrhype[.]com
putty[.]run
putty[.]bet, and
puttyy[.]org

While Arctic Wolf only mentioned PuTTY and WinSCP, it stressed that other tools may have been abused in the same manner, too. “While only Trojanized versions of PuTTY and WinSCP have been observed in this campaign, it is possible that additional tools may also be involved,” they said.

Out of an abundance of caution, IT pros are advised to only download software from trusted sources, and to type in addresses themselves, rather than just googling them and clicking on the top result.

Via The Hacker News

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.