← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Ongoing Malvertising Campaign leads to Ransomware
WHITE AlienVault 2024-05-15 Modified: 2024-06-14
70
IOCs
HIGH VOLUME
Rapid7 detected an ongoing malware distribution campaign involving trojanized installers of WinSCP and PuTTY, delivered via malicious search engine ads. The infection chain employs DLL side-loading, credential access, and deploys Sliver beacons followed by Cobalt Strike. In one case, the threat actor attempted data exfiltration and ransomware deployment after gaining elevated access. The analysis provides indicators, MITRE ATT&CK mappings, and detection guidance.
ransomwaremalwaredroppedc2 addressputtysliver beaconwinscplocalappdatamsi packagednstwistpythoncobalt strikeexecutionservicesliver
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (3 / 70 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 04edd2fbe87547e905f789b069a7090a MD5 of 725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa 2024-05-15
FileHash-MD5 cc583f071197ddd6fa88f2c2d993776c MD5 of c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a 2024-05-15
FileHash-MD5 f53fa44c7b591a2be105344790543369 MD5 of bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c 2024-05-15
References (1)
↗ https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/