- False discharge pages of SEO optimized with seo stained with stained SEO
- The falsified sites by putty and winscp
- Experts warn IT teams to be careful when downloading software
Experts have discovered a malicious campaign using false destination pages optimized by SEO to implement a malware charger called Oyster.
Cybersecurity researchers Arctcic Wolf discovered that threat actors have created numerous destination pages that are passed through putty and Winscp, two popular Windows tools used to connect safely to remote servers.
These pages are apparently identical to their legitimate counterparts, and when people look for these tools in Google (mainly IT, Cybersecurity and Web Development Professionals), they could be deceived to open the wrong website. Since nothing in the sites would raise their suspicions, they could download the tool, which would work as planned, but would also deliver Oyster, a known malware charger that is also called Broomstick, or Cleanupplroader.
Another abused software
“After the execution, a back door known as Oyster/Broomstick is installed,” Arctic Wolf explained. “Persistence is established by creating a scheduled task that is executed every three minutes, executing a malicious DLL (Twain_96.dll) through rundll32.exe using the export dllrregisterserver, indicating the use of the DLL registration as part of the persistence mechanism.”
Oyster is a stealthy malware charger that is used to deliver additional malicious useful loads in infected Windows systems, often as part of several stages attacks. Use techniques such as process injection, chain obfuscation and control and control through HTTPS to evade detection and maintain persistence.
These are some of the false websites used in attacks:
UPDATERPUTTY[.]communicate
Zephyry[.]communicate
putty[.]run
putty[.]bet, and
of putty[.]organize
While Arctic Wolf only mentioned Putty and Winscp, he emphasized that other tools may also have been abused in the same way. “While only Trojanized versions of Putty and Winscp have been observed in this campaign, they may also involve additional tools,” they said.
As a precaution, professionals are advised to unload software from reliable sources and write addresses themselves, instead of just looking for them in Google and clicking on the upper result.
Through The hacker news
