A sophisticated cyber campaign has emerged, targeting system administrators with deceptive advertisements for popular system utilities, including PuTTY and FileZilla, to lure victims into downloading the Nitrogen malware under the guise of legitimate software.
These malicious ads, disguised as sponsored results on Google’s search engine, are localised to North America.
Researchers from Malwarebytes discovered this campaign that has been going on for the past couple of weeks. The malicious campaign involves a multi-step process orchestrated by threat actors to infiltrate private networks, steal sensitive data, and deploy ransomware like BlackCat/ALPHV.
Despite efforts to alert Google to these malicious activities, the company has not taken any action thus far.
Tactics, Techniques and Procedures (TTPs)
The TTPs employed by the hackers include the following:
Luring victims with malicious ads
Malicious ads, presented as sponsored results on Google, entice system administrators with fake versions of essential utilities.
Threat actors exploit Google’s ad infrastructure to reach corporate users, leveraging the credibility of tools like PuTTY and FileZilla to deceive victims.
Cloaking and redirect mechanisms
The malvertising infrastructure employs a cloaking technique, directing victims to decoy pages or popular content like the Rick Astley video.
Cloaked pages resemble legitimate sites, enhancing their ability to deceive and manipulate users into downloading malware.
Malware payload delivery
Upon interaction with the malicious ad, victims unwittingly download and execute the Nitrogen malware.
Nitrogen utilises DLL sideloading, a technique where a legitimate executable launches a malicious DLL, bypassing detection mechanisms.
Defensive measures
Researchers have urged using DNS filtering to block malicious ads and prevent malvertising attacks. Furthermore, companies and individuals can also implement group policies to restrict traffic from suspicious ad networks and employ Endpoint Detection and Response (EDR) solutions to detect and quarantine malicious DLLs.
Researchers suggested enhancing user education on malvertising threats through targeted training simulations along with the above solutions for defenders.
Google Ads have been used to lure victims to download malware for quite a while now. On April 1 this year, it was reported that threat actors were using fake ads of legitimate software like Notion and Slack to distribute malware.
On November 13, 2023, Google sued cybercriminals running malware-laden ads on Bard. In April of the same year, researchers found the BumbleBee malware strain exploiting Google Ads.
In the News: First native Spectre V2 exploit discovered against Linux kernel