New Nitrogen Malware Pushed via Google Ads For Ransomware Attacks

Cyber Security Threat Summary:
A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware. Today, Sophos released a report on the Nitrogen campaign, detailing how it primarily targets technology and non-profit organizations in North America, impersonating popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. eSentire was the first to document the Nitrogen campaign in late June, while Trend Micro analyzed the post-compromise activity of WinSCP ads leading to BlackCat/ALPHV ransomware infections at the start of the month. However, that report focused on the post-infection stage and lacked extensive IoCs (Indicators of Compromise) due to being based on a single response incident.

In the latest campaign observed, the Google and Bing ads direct victims to a compromised WordPress page hosting illegitimate downloads for popular applications that are frequently searched for. According to researchers, only users from specific regions are redirected to these sites, while others are directed to YouTube videos instead. Upon initiating a download, this leads to the execution of trojanized ISO installers which contain and sideload a malicious DLL file ("msi.dll"). This file is responsible for installing a malware dubbed NitrogenInstaller which further installs the promised app to avoid suspicion as well as a malicious Python package without the user’s knowledge.

“The NitrogenInstaller also creates a registry run key named "Python" for persistence, pointing to a malicious binary ("pythonw.exe") that runs every five minutes. The Python component will execute "NitrogenStager" ("python.311.dll"), which is responsible for establishing communication with the threat actor's C2 and launching a Meterpreter shell and Cobalt Strike Beacons onto the victim's system. In some cases observed by Sophos analysts, the attackers moved to hands-on activity once the Meterpreter script was executed on the target system, executing manual commands to retrieve additional ZIP files and Python 3 environments. The latter is needed for executing Cobalt Strike in memory, as the NitrogenStager cannot run Python scripts” (Bleeping Computer, 2023).

Security Officer Comments:
The ultimate object behind the latest campaign seems to be the deployment of ransomware on compromised systems. In the past, we have seen similar campaigns, with groups like Royal and Clop ransomware using Google advertisements to infect unsuspecting users with malicious payloads. In a separate conversation with Google, the company stated that it detected the latest Nitrogen malware campaigns and has already taken down the malicious advertisements. Despite this, users should be careful when downloading software, as it won’t be long before threat actors put up new advertisements.

Suggested Correction(s):
Avoid clicking on promoted search results advertising software as threat actors are known for purchasing such ads to redirect users to phishing pages. When downloading software online, users should ensure it comes from a reputable source and not from a third-party site. Prior to installation, software should also be scanned by antivirus software which can be instrumental in detecting malicious embedded executables. Furthermore, be wary of downloads “utilizing ISO files for software, as that is an uncommon method to distribute legitimate Windows software, which usually comes as an .exe or .zip archive.”

Link(s):
https://www.bleepingcomputer.com/