AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Sophos home free mac12/14/2023 The infection chain involves multiple stages and components, which are still underĪnalysis at this writing. Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis. The Python package uses Dynamic Link Library (DLL) preloading to execute the malicious NitrogenStager file, which connects to the threat actor’s command-and-control (C2) servers to drop both a Meterpreter shell and Cobalt Strike Beacons onto the targeted system. When downloaded, the installers sideload the malicious NitrogenInstaller DLL containing a legitimate software application bundled with a malicious Python execution environment. The observed infection chain starts with malvertising via Google and Bing Ads to lure users to compromised WordPress sites and phishing pages impersonating popular software distribution sites, where they are tricked into downloading trojanized ISO installers. The main components use the following class names: The names of these components also indicate a relation to the Metasploit Framework (MSF), which is leveraged in the Nitrogen campaign to generate the reverse shell scripts used in NitrogenStager. The name derives from the components and debug information we found in the samples, which indicate that the developers refer to this project as Nitrogen or Nitronet. While investigating this campaign, X-Ops analysts uncovered a new initial access malware family called Nitrogen. (A list of MITRE ATT&CK techniques seen in this attack chain is provided at the end of the article.) Nitrogen Malware Family We then turn to a detailed description of how the malware operates and what happens once the infected file has been downloaded. Since there are subtle differences in how this stage goes, we have included three examples of different search-to-infection chains, which includes a twist designed to troll investigators. In this article, we’ll briefly walk through the infection process, which begins when a user searches for certain popular software packages on Google or Bing. That research is by Esentire and can be found here.įigure 1: An overview of the observed Nitrogen infection chain This assessment is corroborated by recent research from Trend Micro stating it has observed a similar infection chain that led to a BlackCat (aka ALPHV) ransomware infection.Īfter releasing this post, Sophos X-Ops became aware of additional research on Nitrogen that we were not aware of during our research. Though Sophos mitigated the infections before further hands-on-keyboard activity occurred, we assess it is likely that the threat actors mean to leverage this infection chain to stage compromised environments for ransomware deployment. Sophos X-Ops has observed the Nitrogen campaign targeting several organizations in the technology and non-profit sectors in North America. This campaign – which we have dubbed Nitrogen based on strings found in the code – is a primarily opportunistic attack campaign abusing Google and Bing ads to target users seeking certain IT tools, with the goal of gaining access to enterprise environments to deploy second-stage attack tools such as Cobalt Strike. In mid-June, Sophos X-Ops identified a previously unreported initial-access malware campaign leveraging malicious advertising (malvertising) and impersonating legitimate software to compromise business networks. Updated 19:35 UTC, 26 July 2023 to add information about additional research available on Nitrogen.
0 Comments
Read More
Leave a Reply. |