A recent cybersecurity investigation has uncovered a sophisticated malvertising campaign that leverages Microsoft’s Bing search platform to distribute a weaponized version of PuTTY, a widely used SSH and telnet client. This malicious operation aims to establish persistence on targeted systems, grant attackers hands-on keyboard control, and execute Kerberoasting attacks to compromise Active Directory service accounts.
Discovery and Initial Indicators
The campaign came to light when LevelBlue’s Managed Detection and Response (MDR) Security Operations Center (SOC) received a high-risk alert from SentinelOne within the USM Anywhere platform. The alert flagged a suspicious download of PuTTY.exe, which was signed by NEW VISION MARKETING LLC—an unexpected signer for legitimate PuTTY software. This anomaly served as the first red flag indicating potential malicious activity on the endpoint.
Malvertising Tactics and Delivery Mechanism
Attackers employed malvertising techniques by placing sponsored search results on Bing that mimicked legitimate PuTTY download links. Unsuspecting users searching for PuTTY were redirected to typosquatted domains such as puttyy[.]org and puttysystems[.]com, which hosted the trojanized installers. Further analysis revealed that the payloads were hosted on domains like heartlandenergy[.]ai, with loader scripts pulling from compromised WordPress sites.
Technical Analysis of the Attack Chain
Upon execution, the malicious PuTTY installer initiated a series of actions to establish persistence and facilitate remote access:
1. Scheduled Task Creation: The installer created a scheduled task named Security Updater set to run every three minutes. This task invoked the Windows utility rundll32.exe to execute a malicious DLL (twain_96.dll) using the DllRegisterServer export function.
2. DLL Execution and Payload Deployment: The first-stage DLL (twain_96.dll) dropped a second-stage payload (green.dll), which established a single outbound connection over port 443. This connection allowed the attacker to execute discovery commands consistent with ransomware operator tactics, such as nltest and net group domain admins.
3. Kerberoasting Attack: The attackers executed an inline PowerShell script designed to perform Kerberoasting. This technique involves requesting Ticket Granting Service (TGS) tickets for accounts with Service Principal Names (SPNs) and extracting the ticket bytes in-memory. The extracted data was formatted for offline password cracking using tools like Hashcat, enabling the attackers to obtain service account credentials for privilege escalation and lateral movement within the Active Directory environment.
Indicators of Compromise (IoCs)
The investigation identified several IoCs associated with this campaign:
– Malicious Domains: puttyy[.]org, puttysystems[.]com, heartlandenergy[.]ai, putty[.]network
– Code-Signing Certificates: NEW VISION MARKETING LLC
– Malicious DLLs: twain_96.dll, green.dll
– Scheduled Task Names: Security Updater, FireFox Agent INC
Recommendations for Mitigation
To defend against such sophisticated attacks, organizations should implement the following measures:
1. Download Software from Official Sources: Always obtain software from official vendor websites to reduce the risk of downloading trojanized installers.
2. Verify Digital Signatures: Before executing downloaded software, verify its digital signature to ensure its authenticity.
3. Implement Ad Blockers: Use ad blockers to prevent exposure to malicious advertisements that may lead to compromised downloads.
4. Monitor for Suspicious Activity: Regularly monitor systems for unusual scheduled tasks, unexpected outbound connections, and the presence of unauthorized DLLs in directories like %appdata% and %temp%.
5. Enhance Detection Capabilities: Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate malicious activities promptly.
6. Educate Users: Train employees, especially system administrators, on the risks associated with downloading software from unverified sources and the importance of cybersecurity best practices.
Conclusion
This malvertising campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms like Bing to distribute malware. By leveraging weaponized versions of legitimate tools such as PuTTY, attackers can gain unauthorized access to systems, perform reconnaissance, and escalate privileges within an organization’s network. Implementing robust cybersecurity measures and maintaining vigilance are crucial in mitigating the risks posed by such sophisticated attacks.
