- Arctic Wolf Pleted SEO-Optimated Fake Download Pages
- The Sites Counterfeit Putty and Winscp
- Experts warn the team to be careful when downloading software
Experts have revealed a malicious campaign using SEO-optimized fake landing pages to implement a malware loader called Oyster.
CyberSecurity scientists Arctic Wolf found that threat actors have created several landing pages that mimic Putty and WINSCP, two popular Windows tools used to connect safely to remote servers.
These pages are apparently identical to their legitimate colleagues, and when people search on Google for these tools (mostly what cybersecurity and web development people), they could fool to open the wrong site. Since nothing on the sites would raise their suspicion, they may download the tool – which would act as intended, but it would also deliver Oyster, a well -known malware loader, which is also sometimes called broom bick or cleanuploader.
Other software abused as well
“In the case of execution, a back door is known as Oyster/Broftick installed,” explained Arctic Wolf. “Persistence is established by creating a scheduled task that runs every three minutes performing a malicious DLL (twain_96.dll) via Rundll32.exe using DLL registry server exports, indicating the use of DLL registration as part of the Persistence Mechanism.”
Oyster is a stealthy malware loader used to provide additional malicious payloads on infected Windows systems, often as part of multi-step attacks. It uses techniques such as process injection, string obrusing and command and control via HTTPs to avoid detection and maintain persistence.
These are some of the fake sites used in the attacks:
Update[.]com
Zephyrhype[.]com
Kitt[.]run
Kitt[.]bet, and
Puttyy[.]org
While Arctic Wolf only mentioned Putty and WINSCP, it emphasized that other tools may have also been abused in the same way. “Although only Trojanized versions of Putty and WINSCP have been observed in this campaign, it is possible that additional tools may also be involved,” they said.
Out of an abundance of caution, it is only advised to download software from trusted sources and to enter addresses instead of just google them and click on the top result.
Via Hacker the news
