Employees are being targeted in a new malvertising campaign that uses Google and Bing Ads offering a variety of trojanized installers for software solutions such as AnyDesk, Cisco AnyConnect VPN, and WinSCP. These campaigns deliver malware that establishes initial access in enterprise networks, allowing other malicious payloads to be delivered, including ransomware.
The ‘Nitrogen’ campaign was first analyzed by researchers at eSentire and later by Trend Micro, revealing initial access was gained after a user was tricked into downloading an ISO image file from a compromised WordPress website. Malicious pay-per-click adverts are served in response to specific search terms, which drive traffic to fake branded websites. Since the user is expecting to install legitimate software, they execute the installation file within the ISO image; however, unknown to them, the installer drops a malicious DLL file which installs the Nitrogen initial access malware and a malicious Python package. Since the software the user is expecting is also installed, they would likely be totally unaware that their device has been compromised. After installing the malware, additional payloads such as Cobalt Strike Beacons are loaded onto the victim’s systems, with at least one of the attacks also resulting in the deployment of BlackCat/ALPHV ransomware.
Malvertising attacks are an opportunistic way of gaining access to devices. By side-loading malware through trojanized software solutions likely to be downloaded by business and enterprise users, the attackers can gain access to valuable targets. Malvertising is commonly used for distributing malware. Several campaigns have recently been detected that deliver a range of remote access Trojans, information stealers, and other malicious payloads. In addition to malvertising, malware is commonly delivered via malicious websites that appear high in search engine listings for specific search terms used by employees, such as business software and document templates. Black hat search engine optimization (SEO) techniques are used to get the websites to appear high in the search engine listings – a technique referred to as SEO poisoning.
Malvertising and SEO poisoning offer cybercriminals a way of bypassing email filters, and these techniques have grown in popularity since Microsoft started blocking macros in Office documents delivered via the Internet by default. Combatting malware delivery via malvertising and SEO poisoning requires a combination of security awareness training and web filtering. Employees should be taught about the risks of downloading software from the Internet and be made aware of the threat of SEO poisoning and malvertising through security awareness training.
