{ "type": "URL", "indicator": "https://events.drdivyaclinic.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://events.drdivyaclinic.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3709683520, "indicator": "https://events.drdivyaclinic.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "64a3e9b64725708e5124cd22", "name": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator", "description": "Trend Security provides a comprehensive guide to how to protect your data, devices, and networks in the cloud and multi-cloud world. \u00c2\u00a31.5bn of research, development and development.", "modified": "2023-08-03T09:03:00.586000", "created": "2023-07-04T09:43:18.620000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1035 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b22606458254aa21ea37", "name": "Malicious Malvertising: The WinSCP Cloned Webpage Attack", "description": "The malicious actors employed malvertising techniques to distribute malware through cloned webpages of legitimate organizations. Specifically, they targeted the webpage of WinSCP, a well-known open-source Windows application for file transfer. By exploiting advertising platforms like Google Ads, these malicious actors abused the functionality to display deceptive ads that enticed unsuspecting users searching for \"WinSCP Download\" on Bing. The malicious ad redirected users to a cloned download webpage of WinSCP, leading them to download an infected ISO file from a compromised WordPress webpage.", "modified": "2023-08-02T11:00:08.290000", "created": "2023-07-03T11:33:58.052000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b571bd5482a8fe6c6d06", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.\n\n\"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations,\" Trend Micro researchers said in an analysis published last week. \"In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.\"", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-03T11:48:01.709000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3ce94c613b75e1c3d976c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:47:32.895000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a2b571bd5482a8fe6c6d06", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3cefe7ab90999f69f835c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:49:18.498000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a3ce94c613b75e1c3d976c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1044 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2023/07/blackcat-operators-distributing.html", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Blackcat", "Cobalt strike", "Dll rcdata" ], "industries": [], "unique_indicators": 198 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/drdivyaclinic.com", "whois": "http://whois.domaintools.com/drdivyaclinic.com", "domain": "drdivyaclinic.com", "hostname": "events.drdivyaclinic.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "64a3e9b64725708e5124cd22", "name": "Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator", "description": "Trend Security provides a comprehensive guide to how to protect your data, devices, and networks in the cloud and multi-cloud world. \u00c2\u00a31.5bn of research, development and development.", "modified": "2023-08-03T09:03:00.586000", "created": "2023-07-04T09:43:18.620000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1035 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b22606458254aa21ea37", "name": "Malicious Malvertising: The WinSCP Cloned Webpage Attack", "description": "The malicious actors employed malvertising techniques to distribute malware through cloned webpages of legitimate organizations. Specifically, they targeted the webpage of WinSCP, a well-known open-source Windows application for file transfer. By exploiting advertising platforms like Google Ads, these malicious actors abused the functionality to display deceptive ads that enticed unsuspecting users searching for \"WinSCP Download\" on Bing. The malicious ad redirected users to a cloned download webpage of WinSCP, leading them to download an infected ISO file from a compromised WordPress webpage.", "modified": "2023-08-02T11:00:08.290000", "created": "2023-07-03T11:33:58.052000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2b571bd5482a8fe6c6d06", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.\n\n\"Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations,\" Trend Micro researchers said in an analysis published last week. \"In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.\"", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-03T11:48:01.709000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3ce94c613b75e1c3d976c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:47:32.895000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a2b571bd5482a8fe6c6d06", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a3cefe7ab90999f69f835c", "name": "BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising", "description": "", "modified": "2023-08-02T10:00:55.647000", "created": "2023-07-04T07:49:18.498000", "tags": [ "malware", "endpoints", "research", "web", "articles", "news", "reports", "learn", "trend micro", "winscp", "cloud security", "email security", "alliance", "blackcat", "download", "python", "trend vision", "cobalt strike", "powershell", "powerview", "hybrid", "stop", "leverage", "protect", "small", "attack", "june", "twitter", "lazagne", "psexec", "killav", "anydesk", "find", "indonesia", "dll rcdata" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://thehackernews.com/2023/07/blackcat-operators-distributing.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DLL RCDATA", "display_name": "DLL RCDATA", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": "64a3ce94c613b75e1c3d976c", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "1036 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1044 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://events.drdivyaclinic.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://events.drdivyaclinic.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780501408.211789 }