WinSCP SEO Poisoning Campaign: Hackers Exploit Popular Software for Malware Attacks

Cybercriminals are manipulating Google search results and embedding fraudulent advertisements to deceive users attempting to install the legitimate software WinSCP.

Securonix is tracking this hacking activity under the name “SEO#LURKER.” Researchers state that the malicious ads redirect users to a compromised WordPress website “gameeweb[.]com,” which then leads them to a phishing site controlled by the perpetrators.

SEO#LURKER attack chain example | Image: Securonix

To create these misleading redirect ads, malefactors utilize Google’s dynamic search ads. The primary goal of this multi-tiered attack is to lure users to a bogus WinSCP site with the domain “winccp[.]net” and coax them into downloading malware.

Interestingly, the success of the redirect relies heavily on the accuracy of the link’s title. If the link is incorrectly titled, the hackers resort to “rickrolling” the unsuspecting user.

Regarding the scenario of a successful redirect, it is noteworthy that the malware is delivered as a ZIP archive containing an executable file. Upon its execution, DLL Sideloading is used to run a malicious DLL library, while the genuine WinSCP installer serves as a smokescreen for the deceit.

Subsequent malicious actions are facilitated by Python scripts, which unpack and activate in the background. These scripts are designed to connect to the attacker’s remote server and receive further instructions for executing commands on the infected device.

Given the use of Google Ads to spread malware, it is presumed that the campaign targets users specifically searching for WinSCP software, but there’s no certainty that hackers won’t apply a similar strategy to any other popular software.

For instance, last month, we reported on a malvertising campaign uncovered by Malwarebytes researchers, targeting developers searching for PyCharm on Google. Instead of the desired software, naive victims ended up downloading malware onto their computers.

Lately, malvertising is becoming increasingly popular among cybercriminals, with a plethora of similar malicious campaigns.