A recently detected malvertising campaign, known as Nitrogen, has been discovered exploiting Google Search and Bing ads to target users searching for IT tools. The campaign deceives users into downloading installers contaminated with trojans. Its primary objective appears to be infiltrating enterprise networks, possibly paving the way for future ransomware attacks.
Diving into details
The Nitrogen campaign predominantly focuses on technology and non-profit organizations in North America. It operates by posing as installers for well-known software such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP.
When users search for these applications on a search engine, they are shown ads promoting the software they are looking for.
Once users click on the provided link, they are taken to compromised WordPress hosting pages that mimic the authentic software download sites for the specific application they sought.
Throughout the infection chain, the threat actors employ uncommon techniques such as export forwarding and DLL sideloading to obscure their malicious actions and make analysis difficult.
By utilizing Python scripts, they initiate a Meterpreter reverse TCP shell, granting them the ability to execute code remotely on a compromised system.
Subsequent payloads
Sophos analysts have observed instances where the attackers engaged in hands-on activities after executing the Meterpreter script on targeted systems.
They manually executed commands to obtain additional ZIP files and Python 3 environments. The latter is necessary for running Cobalt Strike in memory since the NitrogenStager lacks the capability to execute Python scripts.
According to Trend Micro's previous report, this attack chain led to the deployment of the BlackCat ransomware in at least one recorded case.
The bottom line
The abuse of pay-per-click advertisements in search engine results has emerged as a popular tactic among threat actors, as evidenced by the Nitrogen campaign. Through various trojanized installers, they target unsuspecting users seeking specific IT utilities, indicating a potential expansion into impersonating other popular software in future attacks. To defend against this threat, organizations should prioritize comprehensive and robust detection solutions capable of unmasking and thwarting these deceptive activities effectively.