Hackers are planting fake advertisements — “malvertisements” — for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.
The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised WordPress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads.
Researchers from Sophos are calling the campaign “Nitrogen.” It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that “hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.”
“The key thing here is that they’re targeting IT people,” says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organization’s most sensitive systems, he says, “is actually a fairly efficient and effective way of targeting.”
Honeypots for IT Pros
Search engine surfers who click on a Nitrogen malvertisement will typically end up on a phishing page mimicking the actual download page for the software they’re attempting to download — for example, “winsccp[.]com,” with that extra “c” subtly added in.
In one case, instead of a mere phishing page, the researchers discovered a compromised WordPress site at mypondsoftware[.]com/cisco. The researchers noted that “all other links on the myponsdsoftware[.]com point to legitimate cisco.com Web pages, except for the download link for this particular installer,” which directs to a malicious phishing page.
Hitting “download” on any of these pages will download a trojanized ISO installer, which sideloads a malicious dynamic link library (DLL) file. The DLL file does, in fact, contain the user’s desired software, but also initial access malware.
From here, the malicious attack chain establishes a connection to attacker-controlled command and control (C2) infrastructure, and drops a shell and a Cobalt Strike Beacon on the host computer in order to facilitate persistence and remote commands.
What Nitrogen Is After
It might seem risky to target IT professionals — folks with, presumably, the technical savvy to snuff out phishing attacks. Budd acknowledges that “the hit rate may be on the low side, because it is a more sophisticated audience. But the return, because of the sensitivity of that audience” — namely, their proximity to the most sensitive systems in a corporate network — “may be higher on those fewer hits, thus making it worthwhile.”
What might the hackers do with such sensitive access? Budd stopped short of ascribing specific intentions, but he noted a report published last month by Trend Micro, which appears to map to the Nitrogen campaign. In that case, the attackers used their malvertising-enabled access to drop BlackCat ransomware onto their target’s network.
If attackers are using IT-oriented malvertisements to expedite their ransomware campaigns, he says, IT professionals need to be extra alert. Avoiding the danger, luckily, is relatively straightforward.
“People are using searches to find these software tools, and that’s where they’re running into trouble out of the gate,” he explains. “Instead of searching for the tool, know who the maker of the tool is, navigate to their site yourself, verify using the certificate through HTTPS that you’re talking to the server that you think you are, and get your tools from them.”