The newly discovered Nitrogen malvertising campaign has exploited Google Search and Bing ads to target users seeking IT tools. This new cybercriminal operation fools users into downloading installers that contain malicious payloads. Moreover, the researchers believe that the primary goal of this new campaign is to infiltrate enterprise networks, which could be a stepping stone for ransomware attacks.
The Nitrogen malvertising campaign prioritises targeting the North American region.
According to investigations, the Nitrogen malvertising campaign targets the North American region’s technology sector and non-profit organisations. Its operations start by posing as an installer for popular software products like WinSCP, TreeSize Free, Cisco AnyConnect VPN, and AnyDesk.
It operates by posing as an installer for well-known software such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. The attacker-control ads promote the attackers’ malicious software products when users search for these apps on the earlier-mentioned search engines.
The provided link redirects users to compromised WordPress hosting pages that impersonate legitimate software download websites for the specific app they seek. Next, the threat actors adopt uncommon strategies such as export forwarding and DLL sideloading to hide their malicious actions and make analysis more challenging throughout the infection process.
Furthermore, the campaign operators start a Meterpreter reverse TCP shell that allows them to execute code remotely on an infected system using Python scripts.
A separate researcher has spotted incidents where the threat actors engage in hands-on activities after initiating the meterpreter script on targeted systems. The attackers have manually executed commands to acquire additional ZIP archives and Python 3 environments. The latter command executes Cobalt Strike in memory since the NitrogenStager does not have a feature where it could start the Python scripts.
Numerous threat actors have joined the trend of exploiting pay-per-clock ads in search engine results. They have targeted multiple users by impersonating legitimate products to deploy their trojanised installers to gain leverage for future attacks.
Organisations should prioritise employing comprehensive and robust detection solutions to effectively uncover and mitigate deceptive activities to defend against such threats lurking in the wild.
