Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Cyber Security Threat Summary:
Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware. If the victim falls for the lure, a Zip file is downloaded, which when launched employs DLL side-loading to load and execute a DLL file named python311.dll. This DLL file is responsible for dropping malicious Python scripts designed to establish contact with a C2 server and receive further instructions that allow the actors to run enumeration commands on the host. At the same time, researchers say that the DLL will also execute a legitimate WinSCP installer to prevent victims from becoming suspicious, while the malicious activity is conducted in the background.

Security Officer Comments:
WinSCP is SSH/SCP connection platform that allows users to transfer files between local and remote computers. Given its popularity, it makes sense that threat actors are using Google ads to distribute bogus installation pages to unsuspecting users who are trying to use the software. According to researchers, the sites hosting the fake downloads are using geoblocking, indicating that only users in the US are the victims of the latest campaign.

Suggested Correction(s):
(Securonix) With malvertising becoming more and more popular, it’s critical to scrutinize web results thoroughly especially when searching for software to download and install.

  • Check that files are downloaded from reputable sites, always check the URL that it matches the intended software
  • Verify file download that it matches the checksum provided by the trusted source (guide)
  • Monitor common malware staging directories, especially the user’s “\Appdata\Local” which was used in this attack campaign
  • Deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage