Malicious Google Ads Trick WinSCP Users into Installing Malware

Subject : Malicious Google Ads Trick WinSCP Users into Installing Malware
Date : 2023-11-22

Information

  WinSCP is a free, open-source file-transfer application that uses File Transfer Protocol (FTP), Secure Shell File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP) for plain or secure file transfer. The application is designed to work with Windows and supports common Windows desktop features.

Incident

  Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.

  The attack begins with the user searching for “WinSCP” in Google. The ad appears before the legitimate website for WinSCP which is https://winscp.net. The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com which redirects the user to an attacker-controlled phishing site.

The threat actors are believed to leverage Google's Dynamic Search Ads (DSAs),

which automatically generates ads based on a site's content to serve

the malicious ads that take the victims to the infected site.

The threat actors registered a domain similar to the legitimate winscp.net in order to appear as legitimate as possible. As you can see in the figure below phishing domain hxxps://winccp[.]net (left) and the legitimate website are nearly identica

Figure 1 : lure website versus legitimate WinSCP website download page

"Traffic from the gaweeweb[.]com website to the fake winsccp[.]net website relies on  a correct referrer header being set properly," the researchers said. "If the referrer is incorrect, the user is 'Rickrolled’. Rickrolled is an internet meme that quickly spread across the internet. Related to Rick Astley's 1987 music video for "Never Gonna Give You Up," Rick Rolling involves luring people in by linking them closer to the topic at hand. But the link inside turned out    to be a video of Astley. and is sent to the infamous Rick Astley YouTube video.” The final payload takes the form of a ZIP file ("WinSCP_v.6.1.zip") that comes with a setup executable, which, when launched, employs DLL side-loading to load and execute a DLL file named python311.dll that's present within the archive. The DLL, for its part, downloads and executes a legitimate WinSCP installer to keep up the ruse, while stealthily dropping Python scripts ("slv.py" and "wo15.py") in the background to activate the malicious behavior. It's also responsible for setting up persistence.

  "Given the fact that the attackers were leveraging Google Ads to disperse malware,     it can be believed that the targets are limited to anyone seeking WinSCP software,"            the researchers said. This is not the first time Google's Dynamic Search Ads have been abused    to distribute malware. Late last month, Malwarebytes lifted the lid on a campaign that targets users searching for PyCharm with links to a hacked website hosting a rogue installer that paves the way for the deployment of information-stealing malware.

Solution

1.To find the original software Searches that include Google Ads should be skipped.

2.Download programs directly from famous websites. and only reliable

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

–https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/

–https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html

–https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

–https://smallbusiness.chron.com/winscp-77185.html

 

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Ref

1

CVE-2023-28134

12/11/2023

17/11/2023

Check Point Harmony Endpoint/ZoneAlarm Extreme Security

Permission assignment

 

7.8

Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Update to Version E81.10

https://nvd.nist.gov/vuln/detail/CVE-2023-28134

2

CVE-2023-42326

14/11/2023

17/11/2023

Netgate pfSense

Privilege Escalation

 

8.8

An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

5.6.0 and later versions

https://www.opencve.io/cve/CVE-2018-6703

3

CVE-2023-37580

31/7/2023

17/11/2023

Zimbra

Cross-site Scripting

6.1

Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows Cross-site Scripting (XSS) in the Zimbra Classic Web Client.

Update to Version 8.8.15 Patch 41

https://nvd.nist.gov/vuln/detail/CVE-2023-42326#VulnChangeHistorySection

4

CVE-2023-4632

8/11/2023

16/11/2023

Lenovo

Uncontrolled search path

7.8

An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges.

Update to Version 5.08.02.25

https://nvd.nist.gov/vuln/detail/CVE-2023-4632

5

CVE-2020-7329

11/11/2023

16/11/2023

McAfee MVISION Endpoint

Server-side request forgery

7.2

Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator.

Update to Version 20.11

https://nvd.nist.gov/vuln/detail/CVE-2020-7329

 

30 November 2023

Viewed 170 time

Engine by shopup.com