Cybersecurity incidents increasingly exploit human vulnerabilities, including those of privileged users, as demonstrated in recent compromises involving trojanized versions of the PuTTY SSH client distributed through malvertising on Microsoft’s Bing search engine.
LevelBlue’s Managed Detection and Response (MDR) Security Operations Center (SOC) recently investigated multiple cases where attackers masqueraded malicious PuTTY executables as legitimate downloads, leading to initial access, persistence, and advanced attacks on Active Directory environments.
The campaign, active since at least May 2024, leverages sponsored ads mimicking official PuTTY sources to deliver payloads signed with fraudulent certificates, such as those from “NEW VISION MARKETING LLC,” bypassing initial trust checks.
SentinelOne endpoints detected high-risk indicators, including suspicious downloads of “PuTTY.exe,” anomalous network traffic to malicious IPs confirmed via VirusTotal, and behavioral anomalies like Kerberoasting attempts and persistence via scheduled tasks.
The malware, identified as variants of Broomstick/Oyster, drops DLLs like “twain_96.dll” and “green.dll” into user directories such as %appdata% and %temp%, establishing remote command execution through rundll32.exe and enabling hands-on-keyboard (HOK) activity for reconnaissance and privilege escalation.
Kerberoasting Exploitation
Upon execution, the weaponized PuTTY creates scheduled tasks, such as “Security Updater” or “FireFox Agent INC,” configured to run at short intervals and invoke malicious DLLs for persistence.
These DLLs facilitate outbound connections to command-and-control (C2) servers over port 443, allowing threat actors to perform discovery commands via cmd.exe, including “nltest /trusted_domains,” “net group ‘domain admins’ /domain,” and “nltest /dclist:,” which are typical tactics, techniques, and procedures (TTPs) associated with ransomware operators scouting for high-value targets.
A key phase involved an in-memory PowerShell script for Kerberoasting, exploiting Kerberos authentication weaknesses in Active Directory.
This script loads the System.IdentityModel assembly, queries LDAP for user objects with Service Principal Names (SPNs), requests RC4-HMAC encrypted tickets using KerberosRequestorSecurityToken, and extracts them into Hashcat-compatible $krb5tgs$ hashes for offline cracking.
Environments vulnerable to RC4-HMAC, lacking AES enforcement, are particularly at risk, as compromised service accounts often yield privileged access for lateral movement.
LevelBlue’s USM Anywhere platform captured related Event ID 4769 logs, enabling rapid identification of affected SPNs and credential reset recommendations.
The script’s design, drawing from PowerSploit’s Invoke-Kerberoast but optimized for memory-only operation, exemplifies attackers’ adaptation of living-off-the-land binaries (LOLBINs) to evade detection.
Campaign Insights
In response, LevelBlue MDR isolated affected assets via SentinelOne, disabled compromised accounts, and conducted fleet-wide threat hunts using observed IOCs, preempting executions in other environments.
Custom detection rules were deployed to enhance SentinelOne’s capabilities against these TTPs.
Further analysis revealed the malvertising infrastructure, including typosquatted domains like puttyy[.]org and puttysystems[.]com, which redirected to compromised WordPress sites hosting payloads.
Attackers varied file hashes, code-signing certificates (e.g., from “THE COMB REIVERS LIMITED” or “LLC Fortuna”), and task names to evade hash-based defenses. Despite reporting to Microsoft Advertising, new variants emerged, highlighting deficiencies in ad verification.
Organizations should enforce user training, maintain vetted tool repositories, and block listed domains to mitigate such threats, underscoring that no role is immune to social engineering.
Indicators of Compromise (IOCs)
| Category | Indicators |
|---|---|
| Domains | puttyy[.]org, puttysystems[.]com, updaterputty[.]com, putty[.]bet, puttyy[.]com, putty[.]run, putty[.]lat, putty[.]us[.]com, heartlandenergy[.]ai, putty[.]network, ruben.findinit[.]com, ekeitoro.siteinwp[.]com, danielaurel[.]tv |
| File Signers | THE COMB REIVERS LIMITED, NEW VISION MARKETING LLC, PROFTORG LLC, LLC Fortuna, LLC BRAVERY, LLC Infomed22 |
| IPs | 45.86.230[.]77, 185.208.159[.]119, 144.217.207[.]26, 85.239.52[.]99, 194.213.18[.]89 |
| URLs | hxxp[:]//185.208.158[.]119/api/jgfnsfnuefcnegfnehjbfncejfh, hxxp[:]//185.208.158[.]119/api/kcehc, hxxp[:]//45.86.230[.]77:443/reg, hxxp[:]//45.86.230[.]77:443/login, hxxp[:]//85.239.52[.]99/api/jgfnsfnuefcnegfnehjbfncejfh, hxxp[:]//85.239.52[.]99/api/kcehc, hxxp[:]//194.213.18[.]89:443/reg, hxxp[:]//194.213.18[.]89:443/login |
| Scheduled Tasks | Security Updater, FireFox Agent INC |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
