Ongoing Malvertising Campaign leads to Ransomware | Rapid7 Blog

Last updated at Thu, 16 May 2024 17:38:34 GMT

Executive Summary

Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains. In at least one observed case, the infection has led to the attempted deployment of ransomware. The analysis conducted by Rapid7 features updates to past research, including a variety of new indicators of compromise, a YARA rule to help identify malicious DLLs, and some observed changes to the malware’s functionality.  Rapid7 has observed the campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions. Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions.

Figure 1. Simplified overview of the attack flow.

Overview

Beginning in early March 2024, Rapid7 observed the distribution of trojanized installers for the open source utilities WinSCP and PuTTy. WinSCP is a file transfer client, PuTTY a secure shell (SSH) client. The infection chain typically begins after a user searches for a phrase such as download winscp or download putty, on a search engine like Microsoft’s Bing. The search results include an ad for the software the user clicks on, which ultimately redirects them to either a clone of the legitimate website, in the case of WinSCP, or a simple download page in the case of PuTTY. In both cases, a link to download a zip archive containing the trojan from a secondary domain was embedded on the web page.

Figure 2. Appearance of the cloned WinSCP website.

The infection begins after the user has downloaded and extracted the contents of the zip archive and executed setup.exe, which is a renamed copy of pythonw.exe, the legitimate Python hidden console window executable.

Figure 3. Files contained within an archive targeting WinSCP.

Upon execution, setup.exe loads the malicious DLL python311.dll. As seen in Figure 2, the copy of the legitimate python311 DLL which setup.exe is intended to load has actually been renamed to python311x.dll. This technique is known as DLL side-loading, where a malicious DLL can be loaded into a legitimate, signed, executable by mimicking partial functionality and the name of the original library. The process of side-loading the DLL is also facilitated by hijacking the DLL search order, where attempts are made to load DLLs contained within the same directory first, before checking other directories on the system where a legitimate copy might be present. Rapid7 has also observed the Python 3.11 library being targeted in prior malware campaigns, such as the novel IDAT loader, discovered by Rapid7 during August of 2023.

The primary payload contained within python311.dll is a compressed archive encrypted and included within the DLL’s resource section. During execution, this archive is unpacked to execute two child processes.

Figure 4. The process tree spawned by the malware.

First, the malware executes the unpacked copy of the legitimate WinSCP installer, seen in Figure 3 as WinSCP-6.1.1-Setup.exe. Then, the malicious Python script systemd.py is executed via pythonw.exe after being unpacked into the staging directory %LOCALAPPDATA%Oracle along with numerous Python dependencies. Following the successful execution of both processes, setup.exe then terminates.

The script systemd.py, executed via pythonw.exe, decrypts and executes a second Python script then performs decryption and reflective DLL injection of a Sliver beacon. Reflective DLL injection is the process of loading a library into a process directly from memory instead of from disk. In several cases, Rapid7 observed the threat actor take quick action upon successful contact with the Sliver beacon, downloading additional payloads, including Cobalt Strike beacons. The access is then used to establish persistence via scheduled tasks and newly created services after pivoting via SMB. In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution.

The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year. This campaign, referred to as Nitrogen by Malwarebytes, and eSentire, has previously been reported to use similar methods.

Technical Analysis

To take a more in depth look at the malware delivery and functionality, we analyzed a malware sample recently observed being delivered to users looking for a PuTTY installer.

Initial Access

The source of the infection was a malicious ad served to the user after their search for download putty. When the user clicked on the ad, which are typically pushed to the top of the search results for visibility, they were redirected to a typo-squatted domain at the URL hxxps://puttty[.]org/osn.php. The landing page includes a download button for PuTTY, as well as two legitimate links to download a Bitvise SSH server/client. However, when the download link is clicked by the user it calls the embedded function loadlink(), which redirects the user to hxxps://puttty[.]org/dwnl.php, which then finally redirects the user to the most recent host of the malicious zip archive to serve the download. At the time of writing, puttty[.]org and the relevant URLs were still active, serving the zip archive putty-0.80-installer.zip from the likely compromised WordPress domain areauni[.]com.

Figure 5. Landing page for the malicious ad.

Rapid7 observed the base domain, puttty[.]org was also serving a cloned version of a PuTTY help article available at BlueHost, where the download link provided is actually for the official distributor of the software. This relatively benign page is most likely conditionally served as a way to reduce suspicion as noted by Malwarebytes.

In comparison, the typo-squatted WinSCP domains conditionally redirected visits to Rick Astley’s Never Gonna Give You Up. Classic.

Execution

Upon extracting the zip archive putty-0.80-installer.zip, the user is once again presented with setup.exe, a renamed copy of pythonw.exe, to entice the user to initiate the infection by launching the executable.

Figure 7. The extracted contents of putty-0.80-installer.zip.

Once executed, setup.exe will side-load the malicious DLL python311.dll. The DLL python311.dll then loads a renamed copy of the legitimate DLL, python3.dll, from the same directory after dynamically resolving the necessary functions from kernel32.dll by string match. Future requests for exported functions made by setup.exe can then be forwarded to python3.dll by python311.dll. This technique is commonly used when side-loading malware, so legitimate requests are proxied, which avoids unexpected behavior and improves stability of the payload delivery.

Figure 8. Dynamic resolution of GetProcAddress.

Following the successful sideloading procedure, the malware then performs pre-unpacking setup by dynamically resolving additional functions from ntdll.dll. The malware still uses functionality similar to the publicly available AntiHook and KrakenMask libraries to facilitate setup and execution, as previously noted by eSentire, which provides additional evasion capabilities. AntiHook contains functionality to enumerate the loaded modules of a process, searching each one for hooks, and remaps a clean, unhooked version of the module’s text section, if hooks are found. KrakenMask contains functionality to spoof the return address of function calls, to evade stack traces, and functionality to encrypt the processes virtual memory at rest to evade memory scanners.

Figure 9. ASM stub containing the return address spoofing logic, as seen in KrakenMask.
Figure 10. Snippet of the function that performs byte comparisons to check for hooks, as seen in AntiHook.

The library ntdll.dll contains functions which make up the Windows Native API (NTAPI), which is generally the closest a process executed in user mode can get to utilizing functionality from the operating system’s kernel. By resolving NTAPI functions for use, malware can bypass detection applied to more commonly used user mode functions (WINAPI) and access lower level functionality that is otherwise unavailable. Several of the NTAPI function pointers resolved by the malware can be used for evasion techniques such as Event Tracing for Windows (ETW) tampering and bypass of the Anti-Malware Scan Interface (AMSI) as has been observed in prior Nitrogen campaign samples. Some of the functions are dynamically resolved from ntdll.dll are found using concatenation of stack strings to form the full name of the target API just before resolution is attempted, likely to help evade detection.

Resolved ntdll.dll functions
EtwEventWrite
EtwEventWriteFull
EtwNotificationRegister
EtwEventRegister

Table 1. Functions the malware dynamically resolves from ntdll.dll.

Other observed function strings
WldpQueryDynamicCodeTrust (wldp.dll)
AmsiScanBuffer (amsi.dll)

Table 2. Other evasion related WINAPI function strings observed in the malware

With setup complete, an encrypted resource stored within the resource section of python311.dll is retrieved using common resource WINAPI calls, including FindResourceA, LoadResource, SizeOfResource, and FreeResource.

Figure 11. The encrypted resource is loaded into memory and decrypted using AES-256.

The resource is then decrypted in memory using an AES-256 hex key and initialization vector (IV) that are stored in the data section in plain text. The resulting file is a zip archive which contains three compressed files, including a legitimate MSI installation package for PuTTY and another compressed archive named installer_data.zip.

Figure 12. Decrypted and decompressed contents of the resource.

To execute the PuTTY installer, the malware first creates a copy of the MSI file in the hard-coded directory C:UsersPublicDownloads via a call to fopen and then decompresses and writes the retrieved MSI package content with multiple successive calls to fwrite and other CRT library file io functions, followed by fclose. The full output path is assembled by concatenating the target directory with the desired file name, which is retrieved from original_installer.txt. The contents of original_installer.txt are identical to the name of the MSI package observed in the resource, for this sample: putty-64bit-0.78-installer.msi.

Figure 13. The malware creates the PuTTY MSI package within the public downloads directory.

The MSI package is then executed by a call to CreateProcessW with the command line msiexec.exe ALLUSERS=1 /i C:UsersPublicDownloadsputty-64bit-0.78-installer.msi. So, before the execution of the next malware payload the user is provided with the software they were originally looking for. This functionality is commonly seen with trojans to avoid suspicion by the end user, as the user only sees the legitimate installation window pop up after initial execution. However, the version numbers between the executed MSI package, putty-64bit-0.78-installer.msi, and the initially downloaded zip archive, putty-64bit-0.80-installer.zip, don’t match — a potential indicator.

Figure 14. The user only sees the installation window after executing setup.exe.

The same procedure is then repeated to copy the decompressed contents of the folder Oracle contained within the zip archive installer_data.zip to the staging directory created at %LOCALAPPDATA%Oracle. After the unpacking process is complete, another call by the malware to CreateProcessW executes the next payload with the command line %LOCALAPPDATA%Oraclepythonw.exe %LOCALAPPDATA%Oraclesystemd.py. With its purpose completed, the loader then clears memory and passes back control to setup.exe, which promptly terminates, leaving the pythonw.exe process running in the background.

Figure 15. Core functionality of systemd.py.

The Python script systemd.py contains multiple junk classes, which in turn contain numerous junk function definitions to pad out the core script. Ultimately, the script decrypts the file %LOCALAPPDATA%Oracledata.aes, which is a Sliver beacon DLL (original name: BALANCED_NAPKIN.dll), performs local injection of the Sliver DLL, and then calls the export StartW. The contents of main and other included functionality within the script appears to have been mostly copied from the publicly available Github repo for PythonMemoryModule.

Figure 16. Strings within the DLL: The beacon was clearly generated by the Sliver framework.

Rapid7 has replicated the unpacking process of the beacon DLL in a python extraction script that is now publicly available along with a yara rule to detect the malicious DLL.

Mitigations

Rapid7 recommends verifying the download source of freely available software. Check that the hash of the downloaded file(s) match those provided by the official distributor and that they contain a valid and relevant signature. The DLLs that are side-loaded by malware are often unsigned, and are often present in the same location as the legitimately signed and renamed original, to which requests are forwarded. Bookmark the official distribution domains for the download of future updates.

DNS requests for permutations of known domains can also be proactively blocked or the requests can be redirected to a DNS sinkhole. For example, by using the publicly available tool DNSTwist we can identify several additional suspicious domains that match the observed ASNs and country codes observed for many of the C2 IPv4 addresses observed to be contacted by the malware as well as known malware hosts/facilitators.

Domain IPv4 ASN
wnscp[.]net 91.92.253[.]80 AS394711:LIMENET
puttyy[.]org 82.221.136[.]24 AS50613:Advania Island ehf
puutty[.]org 82.221.129[.]39 AS50613:Advania Island ehf
putyy[.]org 82.221.136[.]1 AS50613:Advania Island ehf

Table 3. More suspicious domains found via DNSTwist.

Rapid7 observed impacted users are disproportionately members of information technology (IT) teams who are more likely to download installers for utilities like PuTTY and WinSCP for updates or setup. When the account of an IT member is compromised, the threat actor gains a foothold with elevated privileges which impedes analysis by blending in their actions with that of the administrator(s), stressing the importance of verifying the source of files before download, and their contents before execution.

MITRE ATT&CK Techniques

Tactic Technique Procedure
Resource Development T1583.008: Acquire Infrastructure: Malvertising The threat actor uses ads to promote malware delivery via popular search engines.
Initial Access T1189: Drive-by Compromise The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware.
Execution T1106: Native API The malware dynamically resolves and executes functions from ntdll.dll at runtime.
Execution T1204.002: User Execution: Malicious File The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll.
Execution T1059.006: Command and Scripting Interpreter: Python The malware executes a python script to load and execute a Sliver beacon.
Persistence T1543.003: Create or Modify System Process: Windows Service The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present.
Persistence T1053.005: Scheduled Task/Job: Scheduled Task The threat actor creates a scheduled task to execute a C2 beacon.
Defense Evasion T1140: Deobfuscate/Decode Files or Information The malware uses various string manipulation and obfuscation techniques.
Defense Evasion T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification The malware calls chmod to change file permissions prior to execution.
Defense Evasion T1574.001: Hijack Execution Flow: DLL Search Order Hijacking The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory.
Defense Evasion T1574.002: Hijack Execution Flow: DLL Side-Loading The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL.
Defense Evasion T1027.002: Obfuscated Files or Information: Software Packing The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats.
Defense Evasion T1027.013: Obfuscated Files or Information: Encrypted/Encoded File The malware also stores other file dependencies with several layers of obfuscation
Defense Evasion T1055.001: Process Injection: Dynamic-link Library Injection The malware loads a Sliver beacon DLL via python script.
Lateral Movement T1570: Lateral Tool Transfer The threat actor uses SMB via Cobalt Strike to pivot post compromise
Exfiltration T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage The threat actor attempts to exfiltrate data to a backup using Restic.
Impact T1486: Data Encrypted for Impact The threat actor attempts the deployment of ransomware after exfiltrating data.

Rapid7 Detections

For Rapid7 MDR and InsightIDR customers, the following detection rules are currently deployed and alerting against malware campaigns like the one described in this blog:

Detections
Suspicious Process – Sliver C2 Interactive Shell Execution via PowerShell
Suspicious Process – Python Start Processes in Staging Directories
Attacker Technique – Renamed PythonW.exe Executed From Non-Standard Folder
Suspicious Service: Service Installed With Command Line using Python
Network Discovery – Nltest Enumerate Domain Controllers
Attacker Technique – Potential Process Hollowing To DLLHost
Suspicious Process – Gpupdate.exe Execution With No Arguments
Suspicious Process Access – LSASS Memory Dump Using MiniDumpWriteDump Function

Indicators of Compromise

Network Based Indicators (NBIs)

Domain/IPv4 Address Notes
wnscp[.]net Typo-squatted domain, found via DNSTwist
puttyy[.]org Typo-squatted domain, found via DNSTwist
puutty[.]org Typo-squatted domain, found via DNSTwist
putyy[.]org Typo-squatted domain, found via DNSTwist
vvinscp[.]net Typo-squatted domain
winnscp[.]net Typo-squatted domain
puttty[.]org Typo-squatted domain
areauni[.]com Malicious zip archive host, likely compromised domain
mkt[.]geostrategy-ec[.]com Malicious zip archive host, likely compromised domain
fkm-system[.]com Malicious zip archive host, likely compromised domain
185.82.219[.]92 C2 address
91.92.242[.]183 C2 address
91.92.244[.]41 C2 address
91.92.249[.]106 C2 address
91.92.249[.]155 C2 address
91.92.252[.]238 C2 address
91.92.255[.]71 C2 address
91.92.255[.]77 C2 address
94.156.65[.]115 C2 address
94.156.65[.]98 C2 address
94.156.67[.]185 C2 address
94.156.67[.]188 C2 address
94.156.67[.]83 C2 address
94.158.244[.]32 C2 address

Host Based Indicators (HBIs)

File SHA256 Notes
DellAPC.exe 8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324 Dropped by the threat actor post compromise
DellCTSW2.exe N/A Dropped by the threat actor post compromise
DellCTSWin.exe 2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc Dropped by the threat actor post compromise
DellPPem.exe 4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36 Dropped by the threat actor post compromise
DellPRT.exe 725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa Dropped by the threat actor post compromise
KeePassDR.exe c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a Dropped by the threat actor post compromise
NVDisplay.Contain64.exe 35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa Dropped by the threat actor post compromise
NVDisplay.Container64.exe 8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1 Dropped by the threat actor post compromise
NVDisplay.exe bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575 Dropped by the threat actor post compromise
OktaServiceAgent.exe 28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322 Dropped by the threat actor post compromise
OktaServiceAgent.exe f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad Dropped by the threat actor post compromise
PDMVault.exe 242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab Dropped by the threat actor post compromise
PDMVault.exe 9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9 Dropped by the threat actor post compromise
PDMVaultConf.exe 8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7 Dropped by the threat actor post compromise
PDMVaultL.exe 169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427 Dropped by the threat actor post compromise
PDMVaultLP.exe N/A Dropped by the threat actor post compromise
PDMVaultSec.exe 61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea Dropped by the threat actor post compromise
PDMVaultSecs.exe 51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64 Dropped by the threat actor post compromise
PDMVaultTest.exe 96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679 Dropped by the threat actor post compromise
ServerController.exe 02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8 Dropped by the threat actor post compromise
SgrmBroker.exe 8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb Dropped by the threat actor post compromise
VMImportHost.exe c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10 Dropped by the threat actor post compromise
VMImportHost2.exe 47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032 Dropped by the threat actor post compromise
VMImportHost3.exe 9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb Dropped by the threat actor post compromise
VMSAdmin.exe f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861 Dropped by the threat actor post compromise
VMSAdminUtil.exe ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e Dropped by the threat actor post compromise
VMSAdminUtilityUp.exe 972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57 Dropped by the threat actor post compromise
VMSBackupConfig.exe 1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d Dropped by the threat actor post compromise
VMSBackupUpdate.exe a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2 Dropped by the threat actor post compromise
dp_agent.exe 13B2E749EB1E45CE999427A12BB78CBEBC87C415685315C77CDFB7F64CB9AAB0 Dropped by the threat actor post compromise
local.exe bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75 Dropped by the threat actor post compromise
lr_agent.exe d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89 Dropped by the threat actor post compromise
ntfrss.exe f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999 Dropped by the threat actor post compromise
op_agent.exe 17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a Dropped by the threat actor post compromise
pp.txt N/A Notable naming scheme
pr_agent.exe d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90 Dropped by the threat actor post compromise
python311.dll CD7D59105B0D0B947923DD9ED371B9CFC2C2AA98F29B2AFBDCD3392AD26BDE94 Malicious DLL sideloaded by setup.exe. Compiled 2024-03-05. Original name: python311_WinSCP.dll.
python311.dll 02D8E4E5F74D38C8E1C9AD893E0CEC1CC19AA08A43ECC87AC043FA825382A583 Malicious DLL sideloaded by setup.exe. Compiled 2024-04-03. Original name: python311_WinSCP.dll.
python311.dll 500574522DBCDE5E6C89803C3DCA7F857F73E0868FD7F8D2F437F3CC31CE9E8D Malicious DLL sideloaded by setup.exe. Compiled 2024-04-10. Original name: python311_Putty.dll.
-redacted-.exe a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c Ransomware, named after the impacted domain.
readme.txt N/A Ransom note
resticORIG.exe 33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04 Exfil tool dropped by the threat actor
rr__agent.exe d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a Dropped by the threat actor post compromise
truesight.sys bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c AV/EDR killer, used to facilitate the execution of ransomware.
veeam.backups.shell.exe 7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d Dropped by the threat actor post compromise
vmtools.exe ED501E49B9418FCFAF56A2EFF7ADCF85A648BDEE2C42BB09DB8C11F024667BFA Dropped by the threat actor post compromise
vmtoolsda.exe 12AFBEC79948007E87FDF9E311736160797F245857A45C040966E8E029CA97B3 Dropped by the threat actor post compromise
vmtoolsdr.exe 989A8E6A01AA20E298B1FFAE83B50CEF3E08F6B64A8F022288DC8D5729301674 Dropped by the threat actor post compromise
vmtoolsds.exe 0AA248300A9F6C498F5305AE3CB871E9EC78AE62E6D51C05C4D6DD069622F442 Dropped by the threat actor post compromise
vmtoolsdt.exe DF0213E4B784A7E7E3B4C799862DB6EA60E34D8E22EB5E72A980A8C2E9B36177 Dropped by the threat actor post compromise
DellPP.exe 51D898DE0C300CAE7A57C806D652809D19BEB3E52422A7D8E4CB1539A1E2485D Dropped by the threat actor post compromise
DellPP2.exe 8827B6FA639AFE037BB2C3F092CCB12D49B642CE5CEC496706651EBCB23D5B9E Dropped by threat actor post compromise
data.aes F18367D88F19C555F19E3A40B17DE66D4A6F761684A5EF4CDD3D9931A6655490 Encrypted Sliver beacon
data.aes C33975AA4AB4CDF015422608962BD04C893F27BD270CF3F30958981541CDFEAD
Encrypted Sliver beacon
data.aes 868CD4974E1F3AC7EF843DA8040536CB04F96A2C5779265A69DF58E87DC03029 Encrypted Sliver beacon
systemd.py 69583C4A9BF96E0EDAFCF1AC4362C51D6FF71BBA0F568625AE65A1E378F15C65 Sliver beacon loader
systemd.py 03D18441C04F12270AAB3E55F68284DCD84721D1E56B32F8D8B732A52A654D2D Sliver beacon loader
systemd.py CF82366E319B6736A7EE94CCA827790E9FDEDFACE98601F0499ABEE61F613D5D Sliver beacon loader

Source: https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/