A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks.
Dubbed Nitrogen, the “opportunistic” activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis.
Nitrogen was first documented by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system.
Then earlier this month, Trend Micro uncovered a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack.
“Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis,” Sophos researchers Gabor Szappanos, Morgan Demboski, and Benjamin Sollman said.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The Python scripts, once launched, establish a Meterpreter reverse TCP shell, thereby allowing threat actors to remotely execute code on the infected host, as well as download a Cobalt Strike Beacon to facilitate post-exploitation.
“Abuse of pay-per-click advertisements displayed in search engine results has become a popular tactic among threat actors,” the researchers said. “The threat actors are trying to cast a wide net to lure unsuspecting users seeking certain IT utilities.”
The findings also come against the backdrop of a spike in cybercriminals using paid advertisements to lure users to malicious sites and trick them into downloading a variety of malware such as BATLOADER, EugenLoader (aka FakeBat), and IcedID, which are then used to spread information stealers and other payloads.
To make matters worse, Sophos said it found on prominent criminal marketplaces a “significant number of advertisements for, and discussion about, SEO poisoning, malvertising, and related services” as well as sellers offering compromised Google Ads accounts.
This illustrates that “marketplaces users have a keen interest in SEO poisoning and malvertising” and that “it also negates the difficulty of trying to bypass email filters and convincing users to click a link or download and open an attachment.”