The latest research discovered malvertising campaigns abusing Google and Bing ads to target users seeking certain IT tools and deploying ransomware.
This campaign targets several organizations in the technology and non-profit sectors in North America.
This campaign exhibits similar features of the infection chain that are related to the BlackCat (aka ALPHV) ransomware infection.
Sophos X ops researchers have found that a new variant of malware named Nitrogen was employed to trick users into downloading Trojanized ISO installers.
Initially, the threat actor targets users who visit advertisements on Google and Bing to obtain software tools and then redirects them to a malicious website hosted by the threat actor.
This campaign specifically targets IT professionals, as the advertised websites pose as prominent software installers such as AnyDesk, WinSCP, and Cisco AnyConnect VPN.
For instance, when a user queries Google for WinSCP, a Google Ad referencing ‘Secure File Transfer – For Windows’ on the site softwareinteractivo[.]com
This site is a phishing page that impersonates a system administrator advice blog.
Once a user downloads a trojanized installer, ISO images are dropped on the compromised computer.
These files are then mounted in Windows Explorer and can be transferred to a drive, where their contents are accessible.
When executed, the renamed msiexec.exe file sideloads the NitrogenInstaller file contained within the same image.
This Sideloading dynamic link libraries (DLLs) technique is used by threat actors to disguise malicious activity as a legitimate process.
In addition, they employ DLL proxying technique by forwarding exported functions to the legitimate msi.dll file in the system directory.
Once executed, this NitrogenInstaller, drops a clean installer for the legitimate counterfeit application (e.g., Inno installer for WinSCP)
In addition to that, it drops two Python packages: a legitimate Python archive and a NitrogenStager.
NitrogenInstaller attempts to gain elevated privileges by bypassing the User Access Control (UAC) with the CMSTPLUA CLSID.
And Nitrogenstager creates a Meterpreter reverse TCP shell, enabling threat actors to execute code on the compromised system remotely.
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…
Semiconductor companies, pivotal in the tech industry for their role in producing components integral to…
Enterprises are facing heightened cyber threats as attackers increasingly target network infrastructure, particularly routers, following…
Threat actors are using open-source software (OSS) repositories to install malicious code into trusted applications,…
The notorious Tycoon 2FA phishing kit continues its evolution with new strategies designed to slip…
INE Security Highlights How Practical, immersive training environments help defense contractors meet DoD cybersecurity requirements…