Hackers Create Fake Websites for Network Tools, Distribute Ransomware

TapTechNews on May 22nd, a security company, Rapid7, recently released a report, finding that recently a group of hackers have created counterfeit official websites of well-known network tools such as WinSCP and PuTTY, and placed advertisements in search engines to divert traffic. Once unsuspecting victims click to visit, they will be directed to the hackers' counterfeit websites and then download software with ransomware.

TapTechNews learned that researchers began to discover relevant attack actions since the beginning of March this year. The hackers first created a batch of counterfeit official websites, and then purchased advertisements in search engines such as Bing and Google to increase the search weight of their own counterfeit websites. As long as unsuspecting victims enter downloadwinscp or downloadputty in the search engine to search, they may visit the counterfeit official website.

It is reported that the virus files provided by these counterfeit websites are usually in the form of ZIP compressed packages. If the victim unzips and runs the Setup.exe in the compressed package, the computer will install the python311.dll provided by the hackers, and then run the encrypted Python script, and implant the penetration testing tool Silver on the victimized computer to deploy more malicious Trojans and ransomware.

Researchers pointed out that this wave of attack actions is likely aimed at IT system administrators/router enthusiasts, because these users often use the above two software. Since such administrator accounts have relatively high privileges, once the hackers succeed, they have the opportunity to quickly penetrate the internal network environment of the enterprise and then steal various confidential data.