Fake FileZilla & PuTTY Ads? Malware Alert for System Admins

Recently, researchers at Malwarebytes have observed an ongoing wave of cyber attacks targeted at system administrators via fraudulent advertisements for PuTTY and FileZilla utilities. These advertisements appear as sponsored results in the Google search engine, specifically targeting users in North America, cleverly designed as a trap to download the malicious software Nitrogen.

Nitrogen is employed by attackers for initial access to private networks, subsequent data theft, and the dissemination of ransomware, including encryption programs authored by ALPHV/BlackCat.

To date, despite numerous appeals from experts, Google has yet to take active measures to block this malicious operation.

The attack unfolds in several stages, each detailed below.

The first stage involves attracting victims through fraudulent advertising in Google search results, leading to counterfeit websites.

Interestingly, the attackers have configured a humorous redirect to the so-called Rick Roll—a cult music video by Rick Astley—if invalid traffic is detected. This suggests that the hackers intended to mock security researchers investigating this malicious campaign.

The second stage redirects to clone sites that are so expertly copied they could deceive anyone, including experienced system administrators.

The third stage involves the download and execution of malicious software through a fake installer. This technique, known as DLL Sideloading, involves a legitimate and signed executable file launching a malicious DLL library. In the case examined by the researchers, launching the legitimate setup.exe (from the Python Software Foundation) results in the side-loading of python311.dll (Nitrogen).

Malwarebytes experts recommend the following protective measures to avoid falling victim to these scammers:

– Conduct user training to increase awareness of threats distributed through malicious advertising;
– Implement group policies to limit traffic from advertising networks;
– Configure EDR and MDR solutions to quickly alert the security team of a potential attack.

This situation demonstrates that even experienced system administrators, who consider themselves experts in the computer industry, can fall victim to sophisticated cyber attacks. This story underscores the fact that malicious actors continuously refine their methods to deceive even the most prepared professionals.