A recently discovered initial access malware family dubbed Nitrogen exploits Google and Bing search advertisements to promote fake software webpages that can infect victims with Cobalt Strike and ransomware payloads, according to security researchers at Sophos.
Malvertising, a form of SEO poisoning, is when threat actors abuse search engine advertisements to impersonate brands and direct users to malicious sites that can compromise devices by delivering ransomware and other forms of malware. Many of the malicious ads observed in this campaign targeted users looking to download popular technology software such as AnyDesk, WinSCP, Cisco AnyConnect, and TreeSize Free. The observed campaign primarily targeted entities in North America. According to the researchers, the likely goal of the campaign is to gain initial access into enterprise networks to deliver second-stage malware payloads such as Cobalt Strike and ultimately deploy ransomware payloads. Researchers at Trend Micro confirmed that this attack chain led to the deployment of the BlackCat ransomware in at least one case. To defend against this activity, members may wish to consider employing reputable ad-blockers and reminding users to refrain from clicking on “promoted” advertisements in search engine results. Read more at BleepingComputer or read the original report at Sophos.