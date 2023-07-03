Beware of deceptive advertisements promoting a file transfer service as they may lead to the installation of malicious software. Security experts have cautioned against fake ads being circulated by the notorious ransomware group known as BlackCat or ALPHV.

These ads direct users to counterfeit versions of the official WinSCP (Windows Secure Copy) website, which are designed to distribute malware.

BlackCat targets individuals such as system administrators, web admins, and IT professionals who are likely to use WinSCP for secure file transfers between local machines and remote servers. WinSCP is popular due to its open-source nature and features like SSH file transfer, file management, WebDAV, and Amazon S3 client capabilities.

The fraudulent ads were discovered on search engines like Google and Bing. Trend Micro, the cybersecurity firm that detected this campaign, found that searches for “WinSCP Download” led to the promotion of these malicious ads above legitimate search results.

The fake websites associated with the ads provide tutorials on how to use WinSCP. While these sites themselves are not harmful, they redirect visitors to counterfeit versions of the actual WinSCP website using similar domain names like winsccp[.]com (instead of winscp.net) to deceive users.

On these fake websites, a download button entices users to click and initiates the download of an ISO file. However, this file contains malware that establishes a connection with the attacker’s command-and-control server.

It can pave the way for further intrusion into the targeted system, including activities such as extracting files, accessing Active Directory (AD) information, and acquiring Veeam credentials.

The malware also employs SpyBoy, a well-known tool that can disable endpoint protection and antivirus software. BleepingComputer reports that such a tool can be sold for as much as $3,000 on hacking forums. It enables the malware to escalate privileges on a system and subsequently disable them.

Trend Micro, in addition to identifying BlackCat’s activities, has also uncovered a Clop ransomware file in one of the attacker’s command-and-control domains.

This suggests a potential link between BlackCat and other ransomware operations. Clop ransomware gained significant attention earlier this year when it successfully targeted GoAnywhere and MoveIT, affecting numerous prominent organizations in the process.