A new type of initial access malware, dubbed ‘Nitrogen’, has surfaced, exploiting Google and Bing search ads to propagate fraudulent software sites that distribute Cobalt Strike and ransomware payloads to unsuspecting users. The primary objective of the Nitrogen malware is to provide threat actors a foothold into corporate networks, facilitating data theft, cyberespionage, and the eventual deployment of the BlackCat/ALPHV ransomware.
Sophos, a British security software and hardware company, published a comprehensive report on the Nitrogen campaign today. The report reveals that the campaign primarily targets technology and non-profit organizations in North America by mimicking popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP.
eSentire, a global cybersecurity solutions provider, was the first to highlight the Nitrogen campaign in late June. Following this, Trend Micro delved into the post-compromise activities associated with WinSCP ads leading to BlackCat/ALPHV ransomware infections earlier this month. However, the latter report focused mainly on the post-infection stage and lacked comprehensive Indicators of Compromise (IoCs), as it was based on a single response incident.
Under the Hood of the Nitrogen Malware Campaign
The Nitrogen malware campaign commences when a user conducts a Google or Bing search for popular software applications. Depending on the targeting criteria, the search engine exhibits an advertisement promoting the searched software.
Upon clicking the link, visitors are redirected to compromised WordPress hosting pages masquerading as legitimate software download sites. Only users from specific geographic regions are redirected to these counterfeit sites, where trojanized ISO installers (“install.exe”) are downloaded, which contain and sideload a malicious DLL file (“msi.dll”).
The malicious DLL file serves as the installer for the “NitrogenInstaller” initial access malware, which, besides installing the requested app to avoid arousing suspicion, also installs a harmful Python package. The NitrogenInstaller sets a registry run key titled “Python” for persistence, pointing to a malicious binary (“pythonw.exe”) that executes every five minutes.
Upon execution, the Python component runs “NitrogenStager” (“python.311.dll”), responsible for establishing communication with the threat actor’s C2, initiating a Meterpreter shell, and launching Cobalt Strike Beacons onto the victim’s system.
Sophos analysts noted some instances where the attackers manually executed commands to retrieve additional ZIP files and Python 3 environments once the Meterpreter script was executed on the target system. The latter is required for running Cobalt Strike in memory, as NitrogenStager cannot execute Python scripts.
Sophos has yet to ascertain the ultimate goal of the threat actors due to successfully thwarting observed Nitrogen attacks. Nevertheless, the infection chain indicates an attempt to stage the compromised systems for ransomware deployment. Notably, Trend Micro reported previously that this attack chain resulted in at least one case of BlackCat ransomware deployment.
This campaign is not an isolated instance where ransomware gangs exploited search engine advertisements for initial access to corporate networks. Both the Royal and Clop ransomware operations have used similar tactics in the past.
Users are advised to steer clear of “promoted” search engine results when downloading software and to download solely from the developer’s official site. Furthermore, downloads utilizing ISO files should be treated with suspicion as they are an uncommon method for distributing legitimate Windows software, typically provided in .exe or .zip formats.
Update (7/27) – Google has responded to the campaign with the following statement:
“Our policies strictly prohibit ads that distribute malicious software. The malware campaigns referred to in the report were detected by our teams before the report was published. We promptly removed the ads that contravened our policies and took suitable action on the advertisers’ accounts.”