The latest research discovered malvertising campaigns abusing Google and Bing ads to target users seeking certain IT tools and deploying ransomware.
This campaign targets several organizations in the technology and non-profit sectors in North America.
This campaign exhibits similar features of the infection chain that are related to the BlackCat (aka ALPHV) ransomware infection.
Sophos X ops researchers have found that a new variant of malware named Nitrogen was employed to trick users into downloading Trojanized ISO installers.
Initially, the threat actor targets users who visit advertisements on Google and Bing to obtain software tools and then redirects them to a malicious website hosted by the threat actor.
This campaign specifically targets IT professionals, as the advertised websites pose as prominent software installers such as AnyDesk, WinSCP, and Cisco AnyConnect VPN.
For instance, when a user queries Google for WinSCP, a Google Ad referencing ‘Secure File Transfer – For Windows’ on the site softwareinteractivo[.]com
This site is a phishing page that impersonates a system administrator advice blog.
Once a user downloads a trojanized installer, ISO images are dropped on the compromised computer.
These files are then mounted in Windows Explorer and can be transferred to a drive, where their contents are accessible.
When executed, the renamed msiexec.exe file sideloads the NitrogenInstaller file contained within the same image.
This Sideloading dynamic link libraries (DLLs) technique is used by threat actors to disguise malicious activity as a legitimate process.
In addition, they employ DLL proxying technique by forwarding exported functions to the legitimate msi.dll file in the system directory.
Once executed, this NitrogenInstaller, drops a clean installer for the legitimate counterfeit application (e.g., Inno installer for WinSCP)
In addition to that, it drops two Python packages: a legitimate Python archive and a NitrogenStager.
NitrogenInstaller attempts to gain elevated privileges by bypassing the User Access Control (UAC) with the CMSTPLUA CLSID.
And Nitrogenstager creates a Meterpreter reverse TCP shell, enabling threat actors to execute code on the compromised system remotely.