Winscp Installer

The WinSCP Installer malware is a harmful program designed to exploit computer systems, often infiltrating without the user's knowledge. It operates by utilizing a delayed-loaded DLL named msi.dll that acts as a dropper for both a genuine WinSCP installer and a malicious Python execution environment. This environment is responsible for downloading Cobalt Strike beacons, which are tools used for exploiting network vulnerabilities. The malware can enter a system through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Upon executing setup.exe from a download site, the malware triggers the msi.dll. This action results in the extraction of a Python folder from the DLL RCDATA section and also functions as the authentic WinSCP installer for installation. The purpose of this dual functionality is to maintain the illusion of legitimacy while performing harmful actions in the background. Simultaneously, the DLL downloads and executes a legitimate WinSCP installer to keep up the ruse, while covertly dropping Python scripts ("slv.py" and "wo15.py") in the background. These scripts activate the malicious behavior of the malware, further jeopardizing the security and integrity of the infected system. Therefore, users need to exercise caution when downloading and installing software from unverified sources to prevent such attacks.