Nitrogen Ransomware Effort Lures IT Pros via Google, Bing Ads

  /     /     /  
Publicated : 23/11/2024   Category : security


Nitrogen Ransomware Effort Lures IT Pros via Google, Bing Ads


Forget temps and new employees. A new malicious campaign compromises organizations through a high risk, high reward vector: IT professionals.



Hackers are planting 
fake advertisements — malvertisements
 — for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.
The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised Wordpress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads.
Researchers from Sophos are 
calling the campaign Nitrogen.
 It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.
The key thing here is that theyre targeting IT people, says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organizations most sensitive systems, he says, is actually a fairly efficient and effective way of targeting.
Search engine surfers who click on a Nitrogen malvertisement will typically end up on a phishing page mimicking the actual download page for the software theyre attempting to download — for example, winsccp[.]com, with that extra c subtly added in.
In one case, instead of a mere phishing page, the researchers discovered a compromised Wordpress site at mypondsoftware[.]com/cisco. The researchers noted that all other links on the myponsdsoftware[.]com point to legitimate cisco.com Web pages, except for the download link for this particular installer, which directs to a malicious phishing page.
Hitting download on any of these pages will download a trojanized ISO installer, which sideloads a malicious dynamic link library (DLL) file. The DLL file does, in fact, contain the users desired software, but also initial access malware.
From here, the malicious attack chain establishes a connection to attacker-controlled command and control (C2) infrastructure, and drops a shell and a Cobalt Strike Beacon on the host computer in order to facilitate persistence and remote commands.
It might seem risky to target IT professionals — folks with, presumably, the technical savvy to snuff out phishing attacks. Budd acknowledges that the hit rate may be on the low side, because it is a more sophisticated audience. But the return, because of the sensitivity of that audience — namely, their proximity to the most sensitive systems in a corporate network — may be higher on those fewer hits, thus making it worthwhile.
What might the hackers do with such sensitive access? Budd stopped short of ascribing specific intentions, but he noted 
a report published last month by Trend Micro,
 which appears to map to the Nitrogen campaign. In that case, the attackers used their malvertising-enabled access to drop 
BlackCat ransomware onto their targets network
.
If attackers are using IT-oriented malvertisements to expedite their ransomware campaigns, he says, IT professionals need to be extra alert. Avoiding the danger, luckily, is relatively straightforward.
People are using searches to find these software tools, and thats where theyre running into trouble out of the gate, he explains. Instead of searching for the tool, know who the maker of the tool is, navigate to their site yourself, verify using the certificate through HTTPS that youre talking to the server that you think you are, and get your tools from them.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Nitrogen Ransomware Effort Lures IT Pros via Google, Bing Ads