Hackers are taking advantage of popular IT tools by planting fake advertisements, known as “malvertisements,” on search engines. Their goal is to target IT professionals and carry out future ransomware attacks. This scheme revolves around pay-per-click ads on platforms like Google and Bing, which redirect users to compromised WordPress sites and phishing pages that imitate download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the desired software along with a trojanized Python package containing initial access malware. This allows the attackers to drop further payloads onto the compromised systems.
Sophos researchers have named this campaign “Nitrogen” and have observed its impact on various technology companies and nonprofits in North America. Although there haven’t been any successful cases yet, the researchers have identified hundreds of brands involved in malvertising campaigns in recent months.
Christopher Budd, the director of Sophos X-Ops, highlights that targeting IT professionals directly is an efficient and effective strategy for these hackers. By focusing on individuals who have access to an organization’s most sensitive systems, the attackers can increase their chances of success.
When users click on a Nitrogen malvertisement, they often land on phishing pages that mimic legitimate download pages. For example, they might unknowingly visit a website like “winsccp[.]com” with an extra “c” added. In some instances, the researchers discovered compromised WordPress sites that directed users to malicious phishing pages.
The downloaded files generally contain trojanized ISO installers that load a malicious DLL file onto the user’s system. This DLL file includes the desired software but also contains initial access malware. Once executed, the malware establishes a connection to the attacker’s command and control infrastructure, allowing them to execute remote commands and maintain persistence on the compromised host.
Targeting IT professionals may seem risky due to their technical expertise. However, Budd suggests that the risks are outweighed by the potential rewards. IT professionals often have close proximity to a corporate network’s most sensitive systems, making them valuable targets for hackers.
As for the hackers’ intentions, it is unclear. However, a report published by Trend Micro last month shares similarities with the Nitrogen campaign. In that case, attackers used malvertising to drop BlackCat ransomware onto their target’s network. If ransomware attacks are being expedited through IT-oriented malvertisements, IT professionals need to remain vigilant.
Budd provides some guidance to avoid falling victim to these attacks. Instead of searching for software tools on search engines, he recommends navigating directly to the software maker’s website and verifying its authenticity using HTTPS certificates. By obtaining tools directly from trusted sources, users can minimize the risk of downloading malware-infected software.
In summary, malicious actors are leveraging malvertisements to target IT professionals and orchestrate ransomware attacks. The Nitrogen campaign aims to compromise users by redirecting them to phishing pages and distributing trojanized software packages. IT professionals should exercise caution and obtain software from reputable sources to mitigate the risk of falling victim to these attacks.