The recent ‘Nitrogen’ primary access malware scheme manipulates Google and Bing search ads to propagate counterfeit software platforms, thus leaving users unsuspectingly exposed to Cobalt Strike and ransomware payloads.
The Nitrogen malware aims to provide hackers with the initial entry to corporate networks, enabling them to carry out data theft, cyber espionage and finally deploy the BlackCat/ALPHV ransomware.
Sophos made public a report today on the Nitrogen scheme, shedding light on its primary targets – technology and non-profit organisations in North America. The scheme pretends to be popular software applications such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. Trend Micro was the first to recognise and document this activity at the beginning of the month, noticing WinSCP ads leading to BlackCat/ALPHV ransomware contaminations on a victim’s network.
However, that report primarily concentrated on the post-infection phase and was short on comprehensive IoCs (Indicators of Compromise) because it was based on a single incident response.
The Nitrogen Malware scheme is initiated when an individual carries out a Google or Bing search for various widely-used software applications.
The software that the Nitrogen malware scheme mimics includes:
AnyDesk (remote desktop application) WinSCP (SFTP/FTP client for Windows) Cisco AnyConnect (VPN suite) TreeSize Free (disk space calculator and manager) Depending on the target demographic, the search engine will present an advertisement that promotes the software searched for.
Clicking the link transports the user to compromised WordPress hosting pages that pose as legitimate software download sites for the specific application.
Only visitors from specific geographic regions are redirected to the phishing sites, while direct hits on the malicious URLs lead to a rick-rolling redirection to YouTube videos instead. From these counterfeit sites, users download trojanized ISO installers (“install.exe”), which contain and sideload a harmful DLL file (“msi.dll”). The msi.dll serves as the installer for the Nitrogen primary access malware, internally named “NitrogenInstaller,” which also installs the promised application to avoid arousing suspicion and a malevolent Python package.
In some instances observed by Sophos analysts, the attackers switched to hands-on activity once the meterpreter script was run on the target system, running manual commands to fetch additional ZIP files and Python 3 environments.
The latter is required for running Cobalt Strike in memory, as the NitrogenStager cannot run Python scripts. Sophos indicates that due to their successful detection and halting of the observed Nitrogen attacks, they have yet to determine the hacker’s objective. Still, the infection chain suggests preparing the compromised systems for ransomware deployment.
However, Trend Micro had previously reported that this attack chain resulted in the deployment of the BlackCat ransomware in at least one instance.
This scheme is not the first instance of ransomware gangs exploiting search engine advertisements to gain initial access to corporate networks, as evidenced by similar tactics used by the Royal and Clop ransomware operations in the past.
Users should refrain from clicking on “promoted” results in search engines when downloading software and only from the developer’s official site.