According to eSentire, the ALPHV ransomware gang is employing the Nitrogen malware in the ongoing attacks.
Cybersecurity experts at eSentire, a leading global cybersecurity solutions provider, have published details of an ongoing attack campaign from Russian-speaking affiliates of the notorious ALPHV (aka BlackCat) ransomware gang.
According to eSentire’s Threat Response Unit (TRU) researchers, key targets in this campaign are public entities and corporations in the Americas and Europe. Over the last three weeks, these affiliates have breached a manufacturer, a law firm, and a warehouse provider within eSentire’s customer network, apart from other firms. However, eSentire’s security research team thwarted and neutralized these attacks.
Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.
Furthermore, they observed that BlackCat affiliates have expanded their attack tactics substantially to include malvertising. In this campaign, the attackers place deceptive Google ads promoting popular software like Advanced IP Scanner, WinSCP, Slack, or Cisco AnyConnect to trick business professionals into visiting certain websites.
In reality, these attacker-controlled websites deliver Nitrogen malware under the guise of authentic software. They lure users by placing malicious ads at the top of search results for keywords relevant to businesses, for instance, ‘ cloud backup solutions.’
They can also use the name of a fictional company to lure their targets into clicking on the ads. These cyberattacks seem to be part of a larger campaign involving malicious ads for WinSCP placed on both Google and Bing search results by ALPHV/BlackCat affiliates.
“The malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware” eSentire’s blog post revealed.
Nitrogen is an initial-access malware discovered in June 2023. It uses obfuscated Python libraries and DLL sideloading to evade detection and hide its attack path after infection.
After getting installed, it lets attackers gain a foothold in the targeted entity’s IT environment. Attackers can then infiltrate deeper and launch malware of their choice. In the ongoing campaign, victims are typically infected with ALPHV/BlackCat ransomware, eSentire TRU’s senior threat intelligence researcher Keegan Keplinger noted.
For your information, the ALPHV/BlackCat ransomware gang is known for its $100 million MGM Resorts breach. Its attack tactics have evolved from experienced ransomware operators such as the Colonial Pipeline attack fame DarkSide, REvil, and BlackMatter. Some of its prominent affiliates include Scatted Spider, FIN7, and UNC2565.
The BlackCat/ALPHV ransomware presents a significant threat to businesses and unsuspecting users. The severity is underscored by the FBI’s release of Indicators of Compromise (IoC) last year (PDF).
Considering that ransomware operators are now exploiting social media and Google Ads to reach a wider audience, business owners should remain cautious of unexpected ads or too-good-to-be-true offers.
Always verify the legitimacy of the company offering the ad before clicking on it. Never download software from unknown/unverified sources, and use a reputable anti-malware program.
RELATED ARTICLES
- Hackers use Google Ads to steal $50 million of Bitcoin
- Google Ads Malware Wipes NFT Influencer’s Crypto Wallet
- Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
- Fake Brave browser website dropped malware, thanks to Google Ads
- Ad-blocker Chrome extension AllBlock injected ads in Google searches