A new malvertising campaign, dubbed Nitrogen, uses search engine ads to promote and draw victims to fake software sites where it delivers malware instead of the desired software. The goal of Nitrogen malware is to gain initial access to corporate networks, enabling data theft, cyberespionage, and other post-exploitation activities.
This malvertising campaign was apparently discovered by Sophos X-Ops and eSentire’s Threat Response Unit, eTRU, independently around mid-June. They both gave it the name Nitrogen based on strings found in multiple parts of the infection.
According to the article from Sophos, the Nitrogen campaign primarily targets technology and nonprofit organizations in North America, impersonating popular software such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. The campaign begins with users performing searches for these applications on search engines. Then, the search results display advertisements promoting the searched-for software.
Upon clicking the links in these ads, users are redirected to compromised WordPress hosting pages that imitate legitimate software download sites. Depending on the geographic location of the visitor and if they reached the site using one of the provided ads, specific phishing sites are displayed.
If the site is accessed directly or from a non-targeted location, it will trigger a rick-roll, which is a popular trolling redirection which sends the user to YouTube to watch “Never Gonna Give You Up” by Rick Astley.
From these fake sites, users download trojanized ISO installers, which typically contain a malicious DLL file (msi.dll) and a Windows MSI installer (msiexec.exe) renamed to “Install.” The installer, known as NitrogenInstaller, installs the promised app to avoid suspicion, but sideloads a malicious Python package. For persistence, the installer creates a registry run key named “Python” that points to a malicious binary (pythonw.exe) found in the “Public/Music” folder, which is run with a scheduled task.
The Python component (NitrogenStager) is responsible for:
- establishing communication with the threat actor’s command and control (C2) servers
- launching a Meterpreter shell and Cobalt Strike Beacons onto the victim’s system
This gives attackers the ability for hands-on exploitation or dropping additional payloads.