fake ads in WinSCP search spread malicious code

Experts have discovered a new BlackCat malware campaign that uses fake advertisements to search for WinSCP, a popular SSH and FTP file transfer client. When clicking on these ads, users are redirected to a site that offers to download a fake version of WinSCP containing malicious code Cobalt Strike.

Cobalt Strike is a penetration testing tool that is often used by attackers to create network loopholes and install additional malware. In this case, Cobalt Strike is used to download and run the BlackCat ransomware, which encrypts the victim’s files and demands a ransom of 0.75 Bitcoin (about $30,000).

This previously unknown ALPHV ransomware infection vector has been discovered by analysts Trend Micro who discovered ad campaigns promoting fake pages on Google and Bing search pages. According to them, the attacks began at the end of June 2023 and are still ongoing. The attackers use different domains for their fake websites and advertisements, and change the names of their malicious files.

Users are advised to be careful when downloading programs from the Internet and check them for viruses before launching. It is also important to have backups of your data and not pay a ransom to attackers, as this does not guarantee file recovery.