Tuesday, November 12, 2024
HomeCyber Security NewsHacker Using Google and Bing ads to Deliver Weaponized IT tools

Hacker Using Google and Bing ads to Deliver Weaponized IT tools

Published on

Malware protection

The latest research discovered malvertising campaigns abusing Google and Bing ads to target users seeking certain IT tools and deploying ransomware.

This campaign targets several organizations in the technology and non-profit sectors in North America. 

This campaign exhibits similar features of the infection chain that are related to the BlackCat (aka ALPHV) ransomware infection.

- Advertisement - SIEM as a Service

Sophos X ops researchers have found that a new variant of malware named Nitrogen was employed to trick users into downloading Trojanized ISO installers.

Attack Execution:

Initially, the threat actor targets users who visit advertisements on Google and Bing to obtain software tools and then redirects them to a malicious website hosted by the threat actor.

This campaign specifically targets IT professionals, as the advertised websites pose as prominent software installers such as AnyDesk, WinSCP, and Cisco AnyConnect VPN

For instance, when a user queries Google for WinSCP, a Google Ad referencing ‘Secure File Transfer – For Windows’ on the site softwareinteractivo[.]com

This site is a phishing page that impersonates a system administrator advice blog. 

Attack Chain

Once a user downloads a trojanized installer, ISO images are dropped on the compromised computer. 

These files are then mounted in Windows Explorer and can be transferred to a drive, where their contents are accessible.

When executed, the renamed msiexec.exe file sideloads the NitrogenInstaller file contained within the same image.

This Sideloading dynamic link libraries (DLLs)  technique is used by threat actors to disguise malicious activity as a legitimate process. 

In addition, they employ DLL proxying technique by forwarding exported functions to the legitimate msi.dll file in the system directory. 

Once executed, this NitrogenInstaller, drops a clean installer for the legitimate counterfeit application (e.g., Inno installer for WinSCP) 

In addition to that, it drops two Python packages: a legitimate Python archive and a NitrogenStager.

NitrogenInstaller attempts to gain elevated privileges by bypassing the User Access Control (UAC) with the CMSTPLUA CLSID. 

And Nitrogenstager creates a Meterpreter reverse TCP shell, enabling threat actors to execute code on the compromised system remotely.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...