Nitrogen Malvertising - Sneaky Malware in Search Ads

Diving into details

• The Nitrogen campaign predominantly focuses on technology and non-profit organizations in North America. It operates by posing as installers for well-known software such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. 
• When users search for these applications on a search engine, they are shown ads promoting the software they are looking for.
• Once users click on the provided link, they are taken to compromised WordPress hosting pages that mimic the authentic software download sites for the specific application they sought. 
• Throughout the infection chain, the threat actors employ uncommon techniques such as export forwarding and DLL sideloading to obscure their malicious actions and make analysis difficult. 
• By utilizing Python scripts, they initiate a Meterpreter reverse TCP shell, granting them the ability to execute code remotely on a compromised system.

Subsequent payloads

• Sophos analysts have observed instances where the attackers engaged in hands-on activities after executing the Meterpreter script on targeted systems. 
• They manually executed commands to obtain additional ZIP files and Python 3 environments. The latter is necessary for running Cobalt Strike in memory since the NitrogenStager lacks the capability to execute Python scripts. 
• According to Trend Micro's previous report, this attack chain led to the deployment of the BlackCat ransomware in at least one recorded case.

The bottom line