The latest research discovered malvertising campaigns abusing Google and Bing ads to target users seeking certain IT tools and deploying ransomware.
This campaign targets several organizations in the technology and non-profit sectors in North America.
This campaign exhibits similar features of the infection chain that are related to the BlackCat (aka ALPHV) ransomware infection.
Sophos X ops researchers have found that a new variant of malware named Nitrogen was employed to trick users into downloading Trojanized ISO installers.
Initially, the threat actor targets users who visit advertisements on Google and Bing to obtain software tools and then redirects them to a malicious website hosted by the threat actor.
This campaign specifically targets IT professionals, as the advertised websites pose as prominent software installers such as AnyDesk, WinSCP, and Cisco AnyConnect VPN.
For instance, when a user queries Google for WinSCP, a Google Ad referencing ‘Secure File Transfer – For Windows’ on the site softwareinteractivo[.]com
This site is a phishing page that impersonates a system administrator advice blog.
Once a user downloads a trojanized installer, ISO images are dropped on the compromised computer.
These files are then mounted in Windows Explorer and can be transferred to a drive, where their contents are accessible.
When executed, the renamed msiexec.exe file sideloads the NitrogenInstaller file contained within the same image.
This Sideloading dynamic link libraries (DLLs) technique is used by threat actors to disguise malicious activity as a legitimate process.
In addition, they employ DLL proxying technique by forwarding exported functions to the legitimate msi.dll file in the system directory.
Once executed, this NitrogenInstaller, drops a clean installer for the legitimate counterfeit application (e.g., Inno installer for WinSCP)
In addition to that, it drops two Python packages: a legitimate Python archive and a NitrogenStager.
NitrogenInstaller attempts to gain elevated privileges by bypassing the User Access Control (UAC) with the CMSTPLUA CLSID.
And Nitrogenstager creates a Meterpreter reverse TCP shell, enabling threat actors to execute code on the compromised system remotely.
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
Penetration testing companies play a vital role in strengthening the cybersecurity defenses of organizations by…
Cybersecurity researchers continue to track sophisticated "Click Fix" style distribution campaigns that deliver the notorious…
In a novel and concerning development, multiple U.S. organizations have reported receiving suspicious physical letters…
The cybersecurity landscape has recently been impacted by the emergence of the Strela Stealer malware,…
A recent discovery by the Socket Research Team has unveiled a malicious PyPI package named…
A recent cybersecurity threat has emerged where unknown attackers are exploiting a critical remote code…