…well not the actual one on my laptop. The SSH client I use is WinSCP and the actual version I use is the one available via PortableApps.com. It is not malware.
But the BlackCat ransomware group, also known as ALPHV, have spoofed the official WinSCP website and are distributing a malware infected installer via that site. To entice people to this malicious site it is linked in a malvertising campaigns that is being run at the same time.
BlackCat ransomware pushes Cobalt Strike via WinSCP search ads (bleepingcomputer.com)
In search results using Bing and Google the malicious sites were returned before the legitimate WinSCP website.
Have a look at the article and see just how the threat actor’s website looks like the real thing!
The malware installed, alongside WinSCP is Cobalt Strike – a Swiss Army Knife of malware. Once installed on a victim’s machine it is capable of running s series of attacks and compromises.
Why did they choose WinSCP? Do you use an SSH Client?
Why choose and SSH client? Because WinSCP is in widespread use with IT professionals, Cyber security support staff, system admins etc. etc. etc.. All high value targets for threat actors.
Your takeaway from this?
Let your IT staff, IT contractors, cyber security team etc. know about this attack – just in case they are unaware of it. Protect your own supply chain.
Emphasise to your team that software MUST ONLY BE downloaded if:
- Pre-approved
- From approved sources
Clive Catton MSc (Cyber Security) – by-line and other articles