← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
WHITE dekaRituraj 2023-07-03 Modified: 2023-08-02
7
IOCs
LOW VOLUME
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer."
malwareendpointsresearchwebarticlesnewsreportslearntrend microwinscpcloud securityemail securityallianceblackcatdownloadpythontrend visioncobalt strikepowershellpowerviewhybridstopleverageprotectsmallattackjunetwitterlazagnepsexeckillavanydeskfindindonesiadll rcdata
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
DLL RCDATA Cobalt Strike
Indicators of Compromise (7)
All URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://events.drdivyaclinic.com 2023-07-03
URL https://167.88.164.40/python/pp2 2023-07-03
URL https://172.86.123.127:8443/work2z 2023-07-03
URL https://172.86.123.226:8443/work3z 2023-07-03
URL https://193.42.32.58:8443/work2z 2023-07-03
domain winsccp.com 2023-07-03
hostname events.drdivyaclinic.com 2023-07-03
References (2)
↗ https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html ↗ https://thehackernews.com/2023/07/blackcat-operators-distributing.html