Fraudulent Google ads for the WinSCP and PuTTy utilities have been leveraged to attempt ransomware distribution as part of a malvertising campaign against Windows system administrators, reports BleepingComputer.
Click for more special coverage
Attackers used typosquatted domain names for the fake WinSCP and PuTTy sites, which included links that redirected to legitimate sites and downloaded ZIP archives, which contain a malicious DLL that facilitates the deployment of the Sliver post-exploitation toolkit to deliver Cobalt Strike beacons and other payloads for initial network access, according to a Rapid7 report. Researchers also noted threat actors' attempted data exfiltration and ransomware distribution activities, which were eventually thwarted.
"The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year," said Rapid7 researcher Tyler McGraw.
Such an incident comes amid mounting malvertising campaigns exploiting widely used software, including AnyDesk, VLC, Malwarebytes, MSI Afterburner, 7-Zip, CCleaner, Brave, and Grammarly.