Nitrogen Malware Spreads Through Malicious Ads

Hackers have devised a cunning plan dubbed "Nitrogen" to trap IT professionals using fake advertisements, also known as "malvertisements," that appear on popular search engines. These malicious ads are designed to lead unsuspecting IT experts to compromised websites and phishing pages that imitate legitimate download portals for widely used software like AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP.

When IT professionals click on these ads, they unwittingly download the intended software alongside a concealed Python package containing initial access malware. This allows the hackers to later launch more severe ransomware attacks. The campaign has been identified by researchers from Sophos, who have observed its presence in various technology companies and nonprofits across North America. Although no successful attacks have been reported yet, the researchers warn that multiple brands have been co-opted for similar malvertising efforts in recent months.

The hackers' choice to target IT professionals directly is a strategic move, according to Christopher Budd, director of Sophos X-Ops. By focusing on those who manage an organization's most sensitive systems, the attackers increase their efficiency and effectiveness in infiltrating the corporate network.

Once an IT pro falls into the trap, they may end up on a phishing page that convincingly mimics the authentic download page for their desired software. For example, a link like "winsccp[.]com" with an additional "c" subtly inserted to deceive visitors. In some instances, compromised WordPress sites are used, giving the appearance of legitimacy while delivering the malware-laden software.

Nitrogen Comes in Trojanized ISO

Upon clicking the "download" button, a trojanized ISO installer is deployed, which includes a malicious dynamic link library (DLL) file. While this DLL does contain the desired software, it also contains the initial access malware. Subsequently, the hackers establish a connection to their command and control infrastructure, deploying a shell and a Cobalt Strike Beacon on the infected computer. This allows them to maintain persistence and execute remote commands.

Despite the risks of targeting technically adept IT professionals, the hackers see the potential rewards as worthwhile. Since IT personnel have close proximity to sensitive systems within a corporate network, the attackers believe their efforts will pay off, even if the hit rate is relatively low.

While specific intentions of the attackers remain unclear, similar campaigns in the past have led to ransomware attacks, such as the deployment of BlackCat ransomware through the malvertising-enabled access. The overall goal appears to be gaining control of critical systems and holding them hostage for financial gain or other malicious purposes.