By Securonix Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov
An interesting ongoing SEO poisoning/malvertising campaign leveraging WinSCP lures along with a stealthy infection chain lures victims into installing malware (alongside the legitimate WinSCP software). Attackers are likely leveraging dynamic search ads which let threat actors inject their own malicious code while mimicking legitimate sources like Google search pages.
A rather steep uptick in malicious advertising (malvertising) has been observed, especially in the last year which involves threat actors paying either your favorite search engine or social networking sites for ad space in order to promote malware in prominent locations.
The Securonix Threat Research team has been tracking an ongoing campaign SEO#LURKER which targets “WinSCP” keywords in Google Search results. WinSCP is a popular SSH/SCP connection platform which has established a huge user base over the years making it a lucrative target for threat actors. It’s highly likely that WinSCP is not the only downloadable software being targeted by these threat actors to serve malicious advertisements.
Given its popularity, WinSCP has been a target in the past, along with a host of other popular software downloads. In July this year, we observed some of these infections resulting in the victim machine being infected with ransomware using similar approaches.
Today, malvertising and SEO poisoning continues to remain popular. As seen in the figure below, the homepage for the popular software tracks about 430K searches in the past three months, and another 50k for the download page itself. Another factor to consider is that this method is also especially lucrative as according to the data below, the CPC (cost per click) ranges between $2.25 and $1.84 USD.
Figure 1: Google traffic for winscp.net (three months)
This type of malvertising is extremely effective since a threat actor can place a link masquerading as a legitimate website at the very top of the Google search results, exactly where a user might click after searching for a specific tool to download.
Attack chain overview
Figure 2: SEO#LURKER attack chain example
Malvertising infrastructure analysis
The attack begins with the user searching for “WinSCP” in Google. The ad appears before the legitimate website for WinSCP which is https://winscp.net. The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com which redirects the user to an attacker-controlled phishing site. The threat actors registered a similar domain and an almost identical looking website to trick users into downloading their malware.
Malicious DSA ads in Google Search
It’s also highly likely that the attackers leverage dynamic search ads (DSA). This type of advertising allows threat actors to inject their own malicious code into another, say if the site becomes compromised, or create their own based on the content of their own phishing website. These kinds of ads will promote their own malicious software as if they were the legitimate source from Google search pages.
This type of advertising has been used extensively in the past by threat actors and will likely continue despite Google’s efforts to mitigate it.
Malvertising infrastructure of the SEO#LURKER campaign
The threat actors registered a domain similar to the legitimate winscp.net in order to appear as legitimate as possible. As you can see in the figure below phishing domain hxxps://winccp[.]net (left) and the legitimate website are nearly identical:
Figure 3: lure website versus legitimate winscp website download page
When the user clicks the malicious advertisement, they are brought to the domain gaweeweb[.]com which immediately redirects to hxxps://winccp[.]net. The fake WinSCP phishing site follows a similar naming to previous documented campaigns which used the domain winsccp[.]net rather than what we are observing currently.
When the “DOWNLOAD WINSCP 6.1.2” link is clicked, the file is downloaded from a seemingly legitimate Japanese website to download the malicious zip package stored at the root of the website: hxxps://pr-uae[.]com/WinSCP_v.6.1.zip.
Traffic from the gaweeweb[.]com website to the fake winsccp[.]net website relies on a correct referrer header being set properly. If the referrer is incorrect, the user is “Rick Rolled” and is sent to the infamous Rick Astley YouTube video.
Zip file content analysis: WinSCP_v.6.1.zip
As the victim user would suspect, the zip file is downloaded and once opened, the user is presented with a simple setup.exe file, along (along with a bunch of hidden files). It should be noted that the legitimate WinSCP file download does not download a zip package, rather a single installer.
Figure 4: WinSCP_v.6.1.zip file contents (hidden files in red)
Inside the zip file there are several files, several of which serve no real purpose. Setup.exe is a renamed legitimate “pythonw.exe” which is digitally signed. The executable is designed to launch GUI or no-UI-at-all scripts so it will never open a popup window. The second file worth mentioning is python311.dll. This is not the legitimate DLL used by Python processes, rather it is built by the attacker which when executed kicks off the malicious code execution.
When the user runs setup.exe, the hidden python311.dll is sideloaded and its code contents are executed by the setup/python process. No actual python code is executed at this point. Eventually the pythonw.exe process will crash but not before running the malicious code from the DLL.
Code execution: “python311.dll”
When setup.exe is executed and python311.dll is sideloaded, the process will perform several key functions. First, it downloads and executes a legitimate WinSCP installer. The file is saved to the user’s downloads folder and executed thus kicking off the WinSCP installation. This reinforces legitimacy along with the user’s initial intent of downloading and installing WinSCP.
After the installer executes, the malware will create a bunch of files in the user’s %LOCALAPPDATA% directory. The DLL acts as a dropper and loads the following files onto the user’s file system:
The files created in the “Notepad” directory are all legitimate Python files and library components for running Python scripts. Setup.exe lastly runs the following command which executes the Python code contained in the “slv.py” file.
At this point the user is probably in the middle of installing WinSCP, unaware of the malware currently executing in the background on their system.
Code execution: slv.py
Now we’re actually executing malicious Python code. The Python file is heavily obfuscated and all but one line of the file are completely useless. These useless lines appear to attempt evading detection by creating a bunch of useless functions and defining unused variables along with randomly inserted comments.
Figure 5: File content sample of the slv.py file
The line of code we’re interested in is quite large at over 240,000 characters containing raw Python bytecode. In summary, this line takes the long string contained in single quotes and then decompresses it using the zlib library. Next the decompressed object is marshaled which is done to serialize and deserialize Python code objects. It then executes the results of the payload via exec().
Immediately after executing the contained code within the Python script, it will immediately begin beaconing to niubab[.]com (141.98.6[.]195) on port 8443. At this point the attackers have command and control capabilities over the infected host.
Another similar Python file was then dropped into the %LOCALAPPDATA%\Notepad directory called wo15.py. Once executed, the file began beaconing to 194.180.48[.]42 on 443. Both slv.py and wo15.py appear to function in the same manner.
Observed commands: manual session
With the system compromised and C2 established, we observed the following enumeration commands (spawning from pythonw.exe process):
- whoami /all
- whoami /priv
- net localgroup administrators
- net group “domain controllers” /domain
- net group “domain computers” /domain
- net group “domain admins” /domain
Moving up the infection chain…
Next, three new directories were again created, this time from within the newly created %LOCALAPPDATA%\JetBrains\ directory. These appeared to be randomized containing similar files within:
The files appear to be used for persistence and function similarly to that of the Python files we covered earlier.
The file update.exe is a legitimate msiexec binary that was renamed. When executed it will side load msi.dll which should normally exist in C:\Windows\System32. The DLL is sideloaded which then is rewritten to load the second 3-letter DLL in the folder which is the malicious payload.
The use of msiexec.exe to sideload msi.dll is not new and has been documented in the past. The DLL loaded by the process exhibited some classic Meterpreter characteristics and was built using known obfuscation methods. Beaconing to the following IP address was observed after execution:
Once again we observed similar enumeration commands coming from the “update.exe” process as from the Python beacons earlier.
Once infected, persistence on the host was established using scheduled tasks. We observed three unique tasks being created.
Figure 6: scheduled tasks persistence
As you can see in the figure above, each of the scheduled tasks attempts to masquerade as a legitimate scheduled task starting with “onedrive standalone update task” and a security and group identifier that doesn’t exist.
The scheduled task calls update.exe (renamed msiexec.exe) followed by a long string which appears to be ignored by msiexec during our testing. This is likely an attempt to break detections. The process pythonw.exe is also executed along with the slv.py payload.
Figure 7: scheduled task details
Given the fact that the attackers were leveraging Google Ads to disperse malware, it can be inferred that the targets are limited to anyone seeking WinSCP software. The geoblocking used on the site hosting the malware suggests that those in the US are victims of this attack.
The overall attack chain is quite unusual and relies heavily upon several rounds of DLL sideloading, and malicious compiled Python files which results in a rather complex attack chain ending with persistence via scheduled tasks.
C2 and infrastructure
The SEO#LURKER consisted of several C2 IP addresses using either port 443 or 8443. The domain pr-uae[.]com appears to be compromised and is currently hosting the malicious WinSCP zip file at the root of the domain.
All three of the IP addresses are hosted in the Netherlands, registered to RIPE NCC.
|gaweeweb[.]com||Compromised WordPress website|
|Download initial lure payload|
|niubab[.]com||C2 Comms over port 8443/443 by update.exe|
|141.98.6[.]195||C2 Comms over port 8443 by pythonw.exe|
|194.180.48[.]42||C2 Comms over port 443 by pythonw.exe|
|194.169.175[.]221||C2 Comms over port 8443 by update.exe|
Securonix recommendations and mitigations
With malvertising becoming more and more popular, it’s critical to scrutinize web results thoroughly especially when searching for software to download and install.
- Check that files are downloaded from reputable sites, always check the URL that it matches the intended software
- Verify file download that it matches the checksum provided by the trusted source (guide)
- Monitor common malware staging directories, especially the user’s “\Appdata\Local” which was used in this attack campaign
- Deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage
- Securonix customers can scan endpoints using the Securonix Seeder Hunting Queries below
MITRE ATT&CK matrix
|Resource Development||T1583.008: Acquire Infrastructure: Malvertising|
|Execution||T1204.001: User Execution: Malicious Link
T1204.002: User Execution: Malicious File
T1059: Command and Scripting Interpreter
T1059.006: Command and Scripting Interpreter: Python
|Defense Evasion||T1574.002: Hijack Execution Flow: DLL Side-Loading
T1036.004: Masquerading: Masquerade Task or Service
T1036.005: Masquerading: Match Legitimate Name or Location
|Command and Control||T1105: Ingress Tool Transfer
T1573.001: Encrypted Channel: Symmetric Cryptography
T1219: Remote Access Software
|Persistence||T1053: Scheduled Task/Job|
Analyzed file hashes
|File Name||SHA256 (IoC)|
Relevant provisional Securonix detections
Relevant hunting/Spotter queries (be sure to remove square brackets “[ ]”)
- index = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “141.98.6[.]195” OR destinationaddress = “194.180.48[.]42” OR destinationaddress = “194.169.175[.]221”) AND (destinationport = “443” OR destinationport = “8443”)
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network connection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND (destinationhostname CONTAINS “gaweeweb[.]com” OR destinationhostname CONTAINS “pr-uae[.]com” OR destinationhostname CONTAINS “winccp[.]net” OR destinationhostname CONTAINS “niubab[.]com”)
- index = activity AND rg_functionality = “Endpoint Management Systems” AND baseeventid = “7” AND customstring67 ENDS WITH “\msi.dll” AND (customstring67 NOT CONTAINS “\windows\system32” OR customstring67 NOT CONTAINS “\windows\syswow64”)
- index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “ProcessCreate” OR deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND destinationprocessname = “schtasks.exe” AND (resourcecustomfield1 CONTAINS “\Appdata\Local” OR resourcecustomfield1 CONTAINS “\Appdata\Roaming”)
- Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
- Malvertisers Using Google Ads to Target Users Searching for Popular Software
- Malvertising in Facebook: Analysis, Quantification and Solution
- Malvertising via Dynamic Search Ads delivers malware bonanza
- Hijacking DLLs in Windows
- How to Check a File Checksum: A Step-by-Step Guide