惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
V
V2EX
博客园 - 【当耐特】
WordPress大学
WordPress大学
爱范儿
爱范儿
美团技术团队
宝玉的分享
宝玉的分享
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
小众软件
小众软件
量子位
Hugging Face - Blog
Hugging Face - Blog
B
Blog RSS Feed
Recorded Future
Recorded Future
Engineering at Meta
Engineering at Meta
雷峰网
雷峰网
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
M
MIT News - Artificial intelligence
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 聂微东
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
大猫的无限游戏
大猫的无限游戏
Jina AI
Jina AI
博客园 - 叶小钗
GbyAI
GbyAI
Y
Y Combinator Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Full Disclosure
G
Google Developers Blog
D
Docker
T
Tailwind CSS Blog
C
Check Point Blog
Last Week in AI
Last Week in AI
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
B
Blog
博客园 - 三生石上(FineUI控件)
博客园 - Franky
H
Help Net Security
MyScale Blog
MyScale Blog
U
Unit 42
D
DataBreaches.Net
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
InfoQ
阮一峰的网络日志
阮一峰的网络日志
The GitHub Blog
The GitHub Blog
L
LangChain Blog
有赞技术团队
有赞技术团队
Martin Fowler
Martin Fowler
Microsoft Security Blog
Microsoft Security Blog

Jerome Segura – ThreatDown by Malwarebytes

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns SmartApeSG walkthrough ClearFake walkthrough - ThreatDown by Malwarebytes Gootloader walkthrough - ThreatDown by Malwarebytes Threat actors ride the hype for newly released Arc browser - ThreatDown by Malwarebytes A peek inside a malvertising campaign - ThreatDown by Malwarebytes FakeBat - ThreatDown by Malwarebytes LockBit Black - ThreatDown by Malwarebytes Corporate users targeted via malicious ads and modals - ThreatDown by Malwarebytes
Nitrogen - ThreatDown by Malwarebytes
Jerome Segura · 2024-05-04 · via Jerome Segura – ThreatDown by Malwarebytes

Nitrogen via Google ad for Advanced IP Scanner

Nitrogen, tested on May 3, 2024

Malvertising, the use of ads to deliver malware, has become very popular in the past couple of years. This is especially true for ads that appear on search results pages for Google, and to a lesser extent Bing.

The threat we are looking at today lures potential victims (likely system administrators) with an ad for Advanced IP Scanner, a popular networking tool. The malicious download leads to Nitrogen, a piece of malware that is used as initial access for ransomware deployment.

Distribution (Google ad->Phishing site->Download ZIP)

We searched on Google for the keywords ‘advanced ip scanner’ and saw the ad shown below. In this case, the threat actors used minimal effort as the domain name is clearly different than the official site, and the ad contains typos.

When you click on the ad, you are redirected through the decoy domain seen in the ad URL. This technique is known as cloaking and enables the threat actors to trick Google into thinking the ad is clean. Let’s pretend we are not a real user, by changing some of our browser settings to appear as a crawler. We see a website that looks real, although no one has ever heard about it before!

Threat actors go to great lengths to create these decoy pages, but often times they use AI to have them build those sites for them. Now, let’s return to the ad and click on it from a genuine user profile: we get a totally different final URL!

To understand what happened here, let’s look at the network traffic from the Google ad, to this page. We see that the saltysour[.]com domain immediately redirected us (via a 302 HTTP code) to a different site that impersonates the real Advanced IP Scanner website.

Real site: advanced-ip-scanner[.]com

Fake site: advanced-ip-scan[.]org

We press the download button and a file called IP_Scanner_v.3.5.2.1.zip is retrieved from what looks like a WordPress site, which is rather suspicious. We extract the content of that Zip archive and see the following.

While the setup.exe file is legitimate, it sideloads a malicious DLL (python311.dll) which calls back to a command control and server. This is a signature move from a threat known as Nitrogen. This piece of malware is used as part of a longer attack chain which leads to ransomware. In fact, Nitrogen is associated with the deployment of the BlackCat (ALPHV) ransomware.

Process flow

Protection

ThreatDown customers were already protected against this attack:

  • The phishing website was detected via web protection
  • The malicious DLL (Nitrogen) was detected via our AI-driven automated signature system
  • The command and control server (C2) for Nitrogen was already detected by web protection

Mitigations

If you want to protect your users from a number of web based threats, it is crucial to scrutinize online ads. Downloading software by clicking on a search ad is a risky behavior because brands can be impersonated quite easily. You have several options here:

  • you can block ads across the board which will make a malvertising attack very unlikely
  • you can provide an internal repository from where you employees will download the software programs they need

We highly recommend web protection which goes beyond a simple ad blocker. ThreatDown gives you that extra piece of mind by blocking malicious infrastructure used by malvertisers as well as command and control servers that threat actors rely on.

Remember to treat such intrusions timely as Nitrogen is not the final payload in this attack chain. Threat actors will use it to profile victims before deploying ransomware.

Did you like this walkthough? For more, check out our index page here.

Indicators of Compromise (IOCs)

Cloaking site

saltysour[.]com

Phishing site

advanced-ip-scan[.]org

Payload URL

giaoanso[.]com/wp-includes/IP_Scanner_v.3.5.2.1.zip

Payload SHA256

e2ee4d4798f74639686206770b4782ded7a63e7516602efbf9ef53ce00a8e3f8

Nitrogen SHA256

26c9be484d40491f190b771b3c412a7474f0da719df3ce17e7f057ac9e48e429

Nitrogen C2

91.92.249[.]89