Nitrogen Malware

Researchers have uncovered an initial access malware campaign that they are tracking as 'Nitrogen.' Cybercriminals have been utilizing Google and Bing search ads to promote counterfeit software websites as a way to infect unsuspecting victims. Users who visit these sites unknowingly fall victim to the deployment of the threatening Cobalt Strike and ransomware payloads.

The core objective behind the Nitrogen malware is to grant threat actors an initial entry point into corporate networks. Once infiltrated, the malicious actors gain the ability to carry out data theft, engage in cyberespionage, and ultimately unleash the destructive BlackCat/ALPHV Ransomware.

An in-depth analysis of the Nitrogen campaign has revealed its primary targets, which predominantly encompass technology and non-profit organizations situated in North America. The attackers execute their scheme by impersonating reputable software providers like AnyDesk, Cisco AnyConnect VPN, TreeSize Free and WinSCP. This deceptive tactic dupes users into believing they are accessing genuine software, only to instead be exposed to the perils of the Nitrogen malware.

The use of Google and Bing search ads in this campaign adds an additional layer of sophistication, enabling the threat actors to reach a broader pool of potential victims. By leveraging these popular search engines, the attackers increase the likelihood of enticing users into clicking on the fraudulent software links, thus initiating the malicious infection process.

The Nitrogen Malware Targets Victims from Specific Geographic Locations

The Nitrogen Malware campaign starts when users conduct a Google or Bing search for various well-known software applications. Among the software used as bait in this campaign are AnyDesk (a remote desktop application), WinSCP (an SFTP/FTP client for Windows), Cisco AnyConnect (a VPN suite) and TreeSize Free (a disk-space calculator and manager). The selection of software lures is based on the attackers' targeting criteria.

When a user searches for any of these software applications, the respective search engine displays an advertisement that appears to promote the exact software product. Unwittingly, users may click on these seemingly legitimate ads, hoping to download the desired software.

However, instead of reaching the genuine website, the link redirects visitors to compromised WordPress hosting pages. These pages are skillfully designed to mimic the appearance of the official download sites for the specific application in question.

However, not everyone is taken to unsafe websites. Only visitors from specific geographic regions are selectively redirected to the phishing sites, ensuring a higher chance of luring potential victims from the chosen areas. If anyone tries to reach the pages by directly opening their link instead of being taken there through an ad, they would be redirected to a YouTube video of Rick Astley's classic 'Never Gonna Give You Up' – a move known as rick-rolling.

The Nitrogen Malware was Likely Used to Deliver Ransomware to Compromised Devices

The threatening software delivered from the fake sites comes in the form of trojanized ISO installers named 'install.exe' that carry and then sideload a corrupted DLL file 'msi.dll' (NitrogenInstaller). It acts as the installer for Nitrogen Malware. In addition, it also sets up the promised application to avoid raising any suspicions from the victims. The malware establishes a persistence mechanism by creating a 'Python' registry run key that runs at an interval of five minutes and points toward a malicious binary named 'pythonw.exe.'

The Python component of the malware, called 'python.311.dll' (NitrogenStager), takes charge of establishing communication with the hackers' Command-and-Control server (C2). It also initiates a Meterpreter shell and Cobalt Strike Beacons on the victim's computer.

In certain instances, the attackers engage in hands-on actions once the Meterpreter script is executed on the targeted systems. They use manual commands to retrieve additional ZIP files and Python 3 environments, which are necessary to run Cobalt Strike in memory, as the NitrogenStager itself cannot execute Python scripts. The infection chain of Nitrogen malware points to staging the compromised devices for the deployment of final ransomware payloads.