As DDoS attackers become more sophisticated and the attack surface grows exponentially, businesses must expand beyond an ideology of prevention to include a focus on early detection and response.
The post Adaptive DDoS Defense’s Value in the Security Ecosystem appeared first on Security Boulevard.
Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]
In “Living off the Land attacks,” adversaries use USB devices to infiltrate industrial control systems. Cyberthreats from silent residency attacks put critical infrastructure facilities at risk.
The post A Major Industrial Cybersecurity Threat: Living off the Land Attacks appeared first on Security Boulevard.
Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.
The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.
The group behind the RedTail malware is exploiting a new vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining campaign that is likely backed by North Korea.
The post RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign appeared first on Security Boulevard.
The funding cutbacks announced in February have continued to hobble NIST’s ability to keep the government’s National Vulnerabilities Database (NVD) up to date, with one cybersecurity company finding that more than 93% of the flaws added have not been analyzed or enhanced, a problem that will make organizations less safe. “With the recent slowdown of..
The post NIST Struggles with NVD Backlog as 93% of Flaws Remain Unanalyzed appeared first on Security Boulevard.
People who fall for the scheme are told to pay the shipping fee before the piano is sent. If they do, that's the last they hear from the bad actors.
The post Scammers Build Fraud Campaigns Around Free Piano Offers appeared first on Security Boulevard.
Source: securityboulevard.com – Author: NSFOCUS With the increasing complexity and frequency of cybersecurity threats, organizations face many network threats. The importance of threat intelligence has become increasingly prominent. During this year’s RSA Conference, Sierra Stanczyk, the Senior Manager of Global Threat intelligence at PwC, and Allison Wikoff, the Director of Global Threat Intelligence for the […]
La entrada Contextual Intelligence is the Key – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Scammers impersonating Microsoft, Publishers Clearing House, Amazon and Apple are at the top of the FTC’s “who’s who” list. Based on consumer reports and complaints to the agency, hundreds of millions of dollars were stolen by bad actors pretending to be brands.
The post ‘Microsoft’ Scammers Steal the Most, the FTC Says appeared first on Security Boulevard.
As threats increase in sophistication—in many cases powered by GenAI itself—GenAI will play a growing role in combatting them.
The post The Rise of Generative AI is Transforming Threat Intelligence – Five Trends to Watch appeared first on Security Boulevard.
Cyber attack tactics are evolving, according to a new report, from advanced campaigns to exploiting weaknesses, and cybersecurity teams should be optimally employed.
The post HP Report Surfaces Shifts in Cyber Attack Tactics appeared first on Security Boulevard.
Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption]
The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.
Source: securityboulevard.com – Author: Wajahat Raja Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details […]
La entrada Black Basta Ransomware Attack: Microsoft Quick Assist Flaw – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Recent reports claim that the Microsoft Threat Intelligence team stated that a cybercriminal group, identified as Storm-1811, has been exploiting Microsoft’s Quick Assist tool in a series of social engineering attacks. This group is known for deploying the Black Basta ransomware attack. On May 15, 2024, Microsoft released details about how this financially motivated group […]
The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on TuxCare.
The post Black Basta Ransomware Attack: Microsoft Quick Assist Flaw appeared first on Security Boulevard.
In recent cybersecurity news, Google has swiftly addressed a critical security concern by releasing an emergency update for its Chrome browser. This update targets the third zero-day vulnerability detected in less than a week. Let’s have a look at the details of this Google Chrome zero-day patch and understand its implications for user safety. […]
The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on TuxCare.
The post Alert: Google Chrome Zero-Day Patch Fixes Critical Flaw appeared first on Security Boulevard.
Threat actors compromised a popular audio-visual software package used in courtrooms, prisons, government, and lecture rooms around the world by injecting a loader malware that gives the hackers remote access to infected systems, collecting data about the host computer and downloading more malicious payloads along the way. The software supply chain attack targeted Justice AV..
The post Courtroom Recording Software Compromised in Supply Chain Attack appeared first on Security Boulevard.
Inglorious Basta(rds): 16 days on, huge hospital system continues to be paralyzed by ransomware—and patient safety is at risk.
The post Black Basta Ascension Attack Redux — can Patients Die of Ransomware? appeared first on Security Boulevard.
Attackers are getting more sophisticated, better armed, and faster. Nothing in Rapid7's 2024 Attack Intelligence Report suggests that this will change.
The post Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report appeared first on SecurityWeek.
Delaware startup secures a $25 million Series B funding round from PeakSpan Capital and Oxx. SOCRadar has raised to $30.2 million to date.
The post SOCRadar Raises $25M Series B for Threat Intel Tech appeared first on SecurityWeek.
Deepfake Zoom of Doom: Construction giant Arup Group revealed as victim of January theft—10% of net profit lost.
The post CFO Deepfake Redux — Arup Lost $26M via Video appeared first on Security Boulevard.
SecurityWeek’s Threat Detection and Incident Response (TDIR) Summit takes place on Wednesday, May 22nd as a fully immersive virtual summit.
The post Watch on Demand: Threat Detection and Incident Response (TDIR) Summit appeared first on SecurityWeek.
Country-wise distribution of GitHub Enterprise Servers vulnerable to CVE-2024-4985 (Source: ODIN by Cyble)[/caption]
This maximum severity bug needs urgent patching as a proof-of-concept is now available on GitHub itself. The GitHub user has given a step-by-step guidance on the PoC exploit owing to which widespread exploitation could be expected soon, if not already taking place.
Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Web application development and usage are at an all-time high, but businesses aren’t sure which APIs to monitor or how to protect them.
The post Shifting the Security Mindset: From Network to Application Defense appeared first on Security Boulevard.
WTH? DPRK IT WFH: Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans.
The post North Korea IT Worker Scam Brings Malware and Funds Nukes appeared first on Security Boulevard.
Hackers can find templates for DocuSign and other companies for their phishing campaigns on dark web marketplaces for as little as $10.
The post Hackers Use Fake DocuSign Templates to Scam Organizations appeared first on Security Boulevard.
One in three office workers who use GenAI admit to sharing customer info, employee details and financial data with the platforms. Are you worried yet?
The post Risks of GenAI Rising as Employees Remain Divided About its Use in the Workplace appeared first on Security Boulevard.
In the digital realm, security is paramount, especially when it comes to the applications we use daily. Recently, concerns have surfaced regarding vulnerabilities in popular Android applications available on the Google Play Store. Revelations by the Microsoft Threat Intelligence team have unearthed a WPS Office exploit dubbed the Dirty Stream attack, casting a spotlight on […]
The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on TuxCare.
The post Xiaomi and WPS Vulnerabilities: File Overwrite Risks Alert appeared first on Security Boulevard.
The operators behind the Ebury server-side malware botnet have been doing business since at least 2009 and, according to the threat researchers who have been tracking it for the last decade, are stronger and more active than ever. The malware has compromised at least 400,000 Linux servers over the past 15 years, with about 100,000..
The post 15-Year-Old Ebury Botnet Compromised 400,000 Linux Servers appeared first on Security Boulevard.
Phish Ahoy! Hacker took advantage of Dell’s lack of anti-scraping defense.
The post Dell Hell Redux — More Personal Info Stolen by ‘Menelik’ appeared first on Security Boulevard.
New account passwords, often used during onboarding, are vulnerable to sophisticated attacks from malicious actors.
Good idea to check: What’s your company using?
The post Easily Guessed Passwords for New Accounts Include “User”, “Temp”, “Welcome” appeared first on Security Boulevard.
It was probably inevitable. Threat researchers detected bad actors using stolen credentials to target LLMs, with the eventual goal of selling the access to other hackers.
The post Novel LLMjacking Attacks Target Cloud-Based AI Models appeared first on Security Boulevard.
Будет! Russian ransomware rascals riled a Roman Catholic healthcare organization.
The post FBI/CISA Warning: ‘Black Basta’ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.
Bad actors are always ready to exploit political strife to their own ends. Right now, they’re doing so with the conflict in the Middle East. A holistic defense against influence networks requires collaboration between government, technology companies and security research organizations.
The post Emerald Divide Uses GenAI to Exploit Social, Political Divisions in Israel Using Disinformation appeared first on Security Boulevard.
DUDE! You’re Getting Phished.
Dell customer data from the past six (or more?) years was stolen. It looks like someone sold scads of personal information to the highest bidder.
The post Dell Hell: 49 Million Customers’ Information Leaked appeared first on Security Boulevard.
Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]
The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.
The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.
A GAO review of NASA projects found that, while some cybersecurity challenges have been addressed, many security policies and standards remain optional.
The post NASA Must Improve Spacecraft Cybersecurity, GAO Report Finds appeared first on Security Boulevard.
“I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats,” Quintero said.“VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always,” he added, clearing the air around VirusTotal’s future. “The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.”
The new Google Threat Intelligence cloud service draws from Mandiant, VirusTotal, and its own insights and combines them with generative AI.
The post Google Continues Mixing Generative AI into Cybersecurity appeared first on Security Boulevard.
AI is rapidly increasing the pace of API creation within organizations, leading to API security becoming as significant as traditional application security.
Here’s what you can learn from the top five API breaches of the last quarter.
The post API Vulnerabilities Found Across AI Infrastructure Projects at NVIDIA, Mercedes appeared first on Security Boulevard.
It takes 4.76 days between public disclosure of a vulnerability and its first exploitations to appear.
The post Fortinet Report Sees Faster Exploitations of New Vulnerabilities appeared first on Security Boulevard.
The wireless communications provider announced the new company at RSA, promising that Level Blue will include managed security services and consulting services.
The post AT&T Spins Out Its Cybersecurity Business to Create LevelBlue appeared first on Security Boulevard.
War of the words: Fancy Bear actions are “intolerable and unacceptable,” complains German foreign minister Annalena Baerbock.
The post Germany Warns Russia: Hacking Will Have Consequences appeared first on Security Boulevard.
The centralized system helps organizations identify, track, and reduce risks, addressing the challenges of incomplete risk visibility and manual processes.
The post Critical Risk Launches Critical Start Cyber Risk Register appeared first on Security Boulevard.
A report found more than 40 million exposures are impacting 11.5 million critical business entities, with more than half related to cloud platforms.
The post Identity, Credential Misconfigurations Open Worrying Security Gaps appeared first on Security Boulevard.
In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.
Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.
We have reported this campaign to Google but no action has been taken yet. This blog post aims to share the tactics, techniques and procedures (TTPs) as well as indicators of compromise (IOCs) so defenders can take action.
The initial intrusion starts from a malicious ad displayed via Google search. We have observed several different advertiser accounts which were all reported to Google. The lures are utilities commonly used by IT admins such as PuTTY and FileZilla.
Online ads from search engine result pages are increasingly being used to deliver malware to corporate users. ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks:
The malvertising infrastructure deployed by Nitrogen threat actors uses a cloaking page that can either redirect to a decoy site or the infamous Rick Astley video. The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).
The Rick Astley redirect is mostly to mock security researchers investigating this campaign:
Actual lookalike pages are meant for potential victims. They are often good-looking copycats which could easily fool just about anyone:
ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware:
The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL. In this case, setup.exe (from the Python Software Foundation) sideloads python311.dll (Nitrogen).
ThreatDown via its EDR engine quarantines the malicious DLL immediately. System administrators can log into their console and use the AI-assisted engine to quickly search and review the detection:
While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education.
Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks. Click here for more information about DNS filtering via our Nebula platform.
Endpoint Detection and Response (EDR) is a cornerstone in your security posture, complemented by Managed Detection and Response (MDR) where analysts can quickly alert you of an impending intrusion.
Cloaking domains:
kunalicon[.]com
inzerille[.]com
recovernj[.]com
Lookalike sites:
file-zilla-projectt[.]org
puuty[.]org
pputy[.]com
puttyy[.]ca
Nitrogen payloads (URLs):
amplex-amplification[.]com/wp-includes/FileZilla_3.66.1_win64.zip
newarticles23[.]com/wp-includes/putty-64bit-0.80-installer.zip
support[.]hosting-hero[.]com/wp-includes/putty-64bit-0.80-installer.zip
mkt.geostrategy-ec[.]com/installer.zip
Nitrogen payloads (SHA256):
ecde4ca1588223d08b4fc314d6cf4bce82989f6f6a079e3eefe8533222da6281 2037ec95c91731f387d3c0c908db95184c93c3b8412b6b3ca3219f9f8ff60945 033a286218baca97da19810446f9ebbaf33be6549a5c260889d359e2062778cf
Nitrogen C2s:
94.156.65[.]98
94.156.65[.]115
Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.
In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.
The threat actors went ever further by trying to digitally sign a malicious installer as if they were the official vendor. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.
We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.
When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name nordivpn[.]xyz was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.
As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to besthord-vpn[.]com (note again the spelling chosen with the ‘h‘ looking like an ‘n‘) which was created today, only a few hours ago.
The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.
Here’s a summary of the traffic flow from the malicious ad to the download link:
The downloaded file is called NordVPNSetup.exe and is digitally signed, as if it was from its official vendor; however, the signature is not valid.
The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.
The payload is injected into MSBuild.exe and will connect to the malware author’s command and control server at 45.141.87[.]216 on port 15647.
That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.
Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.
ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.
The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign. Dropbox has already taken action to take down the malicious download.
Malicious domains
nordivpn[.]xyz
besthord-vpn[.]com
Fake NordVPN installer
e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc
SecTopRAT C2
45.141.87[.]216
Educational institutions may face a range of cyberthreats in 2024, but our 2024 State of Malware in Education report identifies the six most critical ones.
Ransomware, for example, stands out as a key threat for schools and universities. The report covers how last year, we witnessed a 92% increase in ransomware attacks in K-12 schools and a 70% increase in Higher Education. The trend appears set to continue, partly due to specialized ransomware groups like Rhysida (formerly Vice Society) targeting educational sectors.
Another major threat our 2024 State of Malware in Education covers is the reduction of conventional malware in favor of Living off The Land (LOTL) attacks. LOTL attacks exploit legitimate system tools to remain undetected while conducting harmful activities.
Our report suggests that educational institutions must employ expert staff to manually identify LOTL activities, which traditional malware detection tools miss. For example, we recently wrote how one K-12 district used MDR to uncover malicious PowerShell activity and stop an ongoing infection.
Some other trends and threats educational institutions can expect in the report to cover include:
As we progress into 2024, the reality is that educational institutions’ success in pairing state of the art security software with skilled security staff will be a deciding factor in their ability to take down the most serious cyberthreats.
To understand the complete list of threats facing educational institutions in 2024 and how to tackle them, get the full 2024 State of Malware in Education report—tailored to either K-12 or Higher Ed—below.
In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.
Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.
The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.
Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).
The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.
The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:
Loginpowershell
$decodeKey = '<Base64_encoded_string>'
$encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'
$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
$decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
if ($payloadIndex -ge $decodeKey.Length) {
$payloadIndex = $decodeKey.Length
}
}
[System.Reflection.Assembly]::Load($decodedPayload)
[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
This code reveals the malware’s methodology:
The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…).
Further investigation uncovered randomly named folders within the AppData\Roaming\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.
The response involved several steps to contain and eliminate the threat:
A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.
As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.
Discover how ThreatDown MDR can safeguard your K-12 institution.
Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.
A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.
In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.
PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.
In this example, the ad looks suspicious simply because the ad snippet shows a domain name (arnaudpairoto[.]com) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.
The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:
Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.
The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.
puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php
astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"
We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.
That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).
Its author may have given it the name “Dropper 1.3“:
Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.
zodiacrealm[.]info/api.php?action=check_ip&ip=[IP Address]
If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:
To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.
That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:
We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.
We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as Trojan.Script.GO.
ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.
Decoy ad domain
arnaudpairoto[.]com
Fake site
puttyconnect[.]info
PuTTY
astrosphere[.]world 0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d
IP check
zodiacrealm[.]info
Rhadamanthys
192.121.16[.]228:22 bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203
