![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_8d1f4a.png\")
<\/figure>\nIn this example, the ad looks suspicious simply because ad snippet shows a domain name (arnaudpairoto[.]com<\/em>) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.<\/p>\n The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:<\/p>\n Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.<\/p>\n The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.<\/p>\n We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.<\/p>\n That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).<\/p>\n Its author may have given it the name “Dropper 1.3<\/em>“:<\/p>\n Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.<\/p>\n If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:<\/p>\n To get this data, we see it uses the SSHv2<\/a> (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.<\/p>\n That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:<\/p>\n We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled<\/a> recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.<\/p>\n We reported this campaign to Google. Malwarebytes and ThreatDown<\/a> users are protected as we detect the fake PuTTY installer as Trojan.Script.GO<\/em>.<\/p>\nFake PuTTY site<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_70b0ee.png?w=1024\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_bb66c1.png\")
<\/figure>\nputtyconnect[.]info\/1.php
HTTP\/1.1 302 Found
Location: astrosphere[.]world\/onserver3.php<\/pre>\nastrosphere[.]world\/onserver3.php
HTTP\/1.1 200 OK
Server: nginx\/1.24.0
Content-Type: application\/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename=\"PuTTy.exe\"<\/pre>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_dbe86e.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_79e970.png\")
<\/figure>\nFollow-up payload<\/h2>\n
zodiacrealm[.]info\/api.php?action=check_ip&ip=[IP Address]<\/pre>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_316552.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_89d965.png\")
<\/figure>\n![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_28eb17.png\")
<\/figure>\nMalvertising \/ loader combo<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/image_b6122c.png\")
<\/figure>\n