Nitrogen Campaign Starts with Fake Ads, Ends with Ransomware

Threat actors are using bogus advertisements for IT tools on sites like Google and Microsoft’s Bing in hopes of luring tech users to inadvertently download malware that kicks off an attack that eventually leads to ransomware like BlackCat.

The hackers use the Nitrogen malware to get initial access into corporate networks, leading to a second stage of the attack, which includes deploying Cobalt Strike Beacons and the Meterpreter shell, a payload designed to let an attacker move through a targeted system and execute code, according to cybersecurity firm Sophos X-Ops team.

“We assess it is likely that the threat actors mean to leverage this infection chain to stage compromised environments for ransomware deployment,” X-Ops researchers Gabor Szappanos, Morgan Demboski, and Benjamin Sollman wrote in a report.

The Nitrogen campaign is only the latest in what the researchers said are an increasingly popular type of attack that abuses click-per-play ads displayed in search engine results. They’ve seen the attackers targeted organizations in the tech and no-profit industries in North America and, given the array of trojanized installers that lead to the infections of systems, “the threat actors are trying to cast a wide net to lure unsuspecting users seeking certain IT utilities, and it is likely this campaign will attempt to impersonate other types of popular software to deliver Nitrogen in future attacks.”

Sophos’ look at the campaign follows on other research by security firms Trend Micro and eSentire, both of which found similar pattern.

It Starts with Malvertising

According to Sophos, the infections begin with the fake ads – malverstising – in Google and Bing Ads in hopes of directing victims to compromised WordPress sites and phishing pages that look like legitimate and popular sites where people can buy software. Instead, they inadvertently download trojanized ISO installers.

Included in the list of software the campaign impersonates are AnyDesk remote desktop app, Cisco AnyConnect VPN installers, and WinSCP, a Windows client. The researchers listed nine trojanized installers deploying the Nitrogen package.

“These applications are often used for business-related purposes, so it is likely the threat actors chose to impersonate these installers to try to gain access to enterprise networks,” they wrote.

The installers sideload a malicious NitrogenInstaller DLL, which includes a legitimate application bundled with a malicious execution environment written in Python, which uses DLL preloading to run the malicious NitrogenStager file. That file connects to the command-and-control servers to drop the Meterpreter shell and Cobalt Strike Beacons.

‘Uncommon’ Methods

The bad actors use what the researchers said are “uncommon export forwarding and DLL preloading techniques” to evade detection and analysis. The eSentire analysts made a point of noting the DLL side-loading technique for communicating with the C2 server.

“Dynamic link library (DLL) sideloading is a popular tactic used by threat actors to mask malicious activity under the guise of a legitimate process,” the Sophos researchers wrote. “Typically, threat actors attempt to avoid error messages by inserting dummy functions into the sideloaded DLLs for the exports needed by the clean loader executable.”

The X-Ops researchers found multiple search-to-infections chains in the campaign. For example, for those searching Google for the WinSCP application, they’re presented with a phishing page impersonating a guidance blog for system administrators. When the ad is clicked on, they’re sent to a fake download page.

Rick Rolling the Victims

The bad actors also want to ensure the user goes through the bogus ad rather than tries to directly visit the fake site by typing the URL. If that happens, the user is “redirected to a YouTube video of Rick Astley’s classic ‘Never Gonna Give You Up’ – effectively rick-rolling researchers.”

When trying to download the fake AnyConnect app, the malware is housed on compromised WordPress sites.

Sophos researchers were able to stop the Nitrogen infections before they got to the endpoint and are assuming the end goal is ransomware. That would dovetail with Trend Micro researchers’ report that they saw the BlackCat (also known as ALPHV) ransomware being launched.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 426 posts and counting.See all posts by jeffrey-burt