‘Nitrogen’ Ransomware Effort Lures IT Pros via Google, Bing Ads

/in


Hackers are planting fake advertisements — “malvertisements” — for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.

The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised WordPress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads.

Researchers from Sophos are calling the campaign “Nitrogen.” It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that “hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.”

“The key thing here is that they’re targeting IT people,” says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organization’s most sensitive systems, he says, “is actually a fairly efficient and effective way of targeting.”

Honeypots for IT Pros

Search engine surfers who click on a Nitrogen malvertisement will typically end up on a phishing page mimicking the actual download page for the software they’re attempting to download — for example, “winsccp[.]com,” with that extra “c” subtly added in.

In one case, instead of a mere phishing page, the researchers discovered a compromised WordPress site at mypondsoftware[.]com/cisco. The researchers noted that “all other links on the myponsdsoftware[.]com point to legitimate cisco.com Web pages, except for the download link for this particular installer,” which directs to a malicious phishing page.

Hitting “download” on any of these pages will download a trojanized ISO installer, which sideloads a malicious dynamic link library (DLL) file. The DLL file does, in fact, contain the user’s desired software, but also initial access malware.

From here, the malicious attack chain establishes a connection to attacker-controlled command and control (C2) infrastructure, and drops…

Source…