- Arctic Wolf identified the false download pages optimized in seo-optimized
- The massacred and winscp sites
- Experts warn that teams are cautious when downloading the software
Experts discovered a malicious campaign using false destination pages optimized in SEO to deploy a malware charger called Oyster.
Arctic Wolf cybersecurity researchers found that threat stakeholders have created many destination pages that pretend to be a sectors and Winscp, two popular Windows tools used to connect to remote servers safely.
These pages are apparently identical to their legitimate counterparts, and when people are looking for Google these tools (mainly IT, cybersecurity and web development professionals), they could be deceived to open the bad website. Since nothing on sites would raise their suspicion, they could download the tool – which would work as expected, but it would also provide Oyster, a known malware charger which is also sometimes called Broomstick or Cleanupload.
Other abused software also
“During the execution, a stolen door known as Oyster / Broomstick is installed,” said Arctic Wolf. “The persistence is established by creating a planned task which runs every three minutes, by performing a malicious DLL (Twain_96.dll) via Rundll32.exe using the export of dllregisterserver, indicating the use of the DLL registration within the framework of the persistence mechanism.”
Oyster is a stealth malware used software charger to offer additional useful malicious loads on infected Windows systems, often in the context of attacks at several stages. He uses techniques such as process injection, ropes obscure and control and control via HTTPS to escape detection and maintain persistence.
These are some of the false websites used in attacks:
updates[.]com
zephype[.]com
putty[.]run
putty[.]bet, and
broken[.]org
While the Arctic Wolf mentioned only the putty and the Winscp, he stressed that other tools may also have been mistreated in the same way. “Although only Trojanized versions of Putty and Winscp have been observed in this campaign, additional tools may also be involved,” they said.
By an abundance of prudence, pros is advised to download only software from sources of trust, and to type the addresses themselves, rather than simply looking for and click on the higher result.
Via The Hacker News
