A recent cyberattack involving Nitrogen malware has been uncovered, revealing a highly sophisticated campaign that deploys Sliver and Cobalt Strike on hijacked servers. The attack was triggered when a user unknowingly downloaded a fake version of “Advanced IP Scanner” from a fraudulent website promoted via Google ads. This download initiated the Nitrogen malware campaign, where the attackers used a ZIP file containing a legitimate Python executable to side-load malicious code. The Nitrogen code then executed, allowing the deployment of advanced remote access tools, including Sliver and Cobalt Strike beacons, which are commonly used in penetration testing and red team operations.
Once inside the network, the attackers employed various tools to perform extensive reconnaissance over eight days. PowerView and BloodHound were used to map the network’s architecture and explore the Active Directory structure. The threat actors moved laterally within the network through methods such as Windows Management Instrumentation (WMI), Remote Desktop Protocol (RDP), and Pass-the-Hash techniques, which allowed them to compromise additional systems. By dumping LSASS memory, they harvested sensitive credentials, enabling further unauthorized access.
The attackers took multiple steps to maintain persistence within the compromised network, including modifying registry keys, scheduling tasks, and mimicking legitimate processes like Microsoft Edge and OneDrive. To evade detection, they utilized techniques such as API unhooking, sleep obfuscation, and bypassing security measures like AMSI, WLDP, and ETW. Privilege escalation was achieved through process injection into the winlogon.exe process, granting the attackers even greater control over the systems.
In the final phase of the attack, the attackers deployed BlackCat ransomware using the Server Message Block (SMB) protocol and PsExec. They forced systems to reboot into Safe Mode with Networking to bypass security protections, encrypting files across the network and leaving ransom notes on affected systems. Data was exfiltrated using the open-source tool Restic to a server in Bulgaria, further compounding the damage. The entire operation, from initial compromise to full ransomware deployment, spanned approximately 156 hours, underscoring the complexity and persistence of modern cyber threats.
