A new malvertising campaign named Nitrogen has been identified, using ads on Google Search and Bing to target users searching for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP. The attackers aim to deceive users into downloading trojanized installers with the intent to breach enterprise networks and potentially launch future ransomware attacks.
Sophos researchers discovered that Nitrogen is an opportunistic campaign deploying second-stage attack tools, including Cobalt Strike, to gain access to compromised systems. The infection chain involves redirecting users to compromised WordPress sites hosting malicious ISO image files, leading to the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system.
Throughout the infection process, the threat actors employ uncommon export forwarding and DLL preloading techniques to obfuscate their malicious activities and hinder analysis.
This discovery comes amid a surge in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading various forms of malware, such as BATLOADER, EugenLoader (aka FakeBat), and IcedID.
These malware payloads are used to spread information stealers and execute further attacks. The researchers also noted a significant presence of advertisements for SEO poisoning, malvertising, and related services on prominent criminal marketplaces. This finding indicates that cybercriminals have a keen interest in malvertising, which has become a popular tactic among threat actors to cast a wide net and attract unsuspecting users seeking specific IT utilities.
Sophos emphasizes the importance of organizations staying vigilant and taking proactive measures, such as timely software updates and cybersecurity training for teams, to defend against these evolving and sophisticated threats. Implementing Endpoint Detection and Response (EDR) solutions can also help combat high-profile attacks and mitigate the impact of incidents.
