Threat Research

Nitrogen shelling malware from hacked sites | Malwarebytes

Securonix

Nitrogen is a campaign and associated malware distributed via malicious search ads and malvertising, using Python and DLL side-loading to connect to the attacker’s command and control server. The operators rely on compromised WordPress sites and fake WinDirStat decoy sites to deliver and mask the payload, and the campaign is linked to ransomware activity.
#Nitrogen #WinDirStat #ALPHV #BlackCat #Sliver

Keypoints

  • Nitrogen is distributed via malvertising and compromised sites, with initial payloads hosted on hacked WordPress sites
  • The campaign uses DLL side-loading and Python to run a malicious payload and reach its C2
  • Victims are funneled through a 302 redirect to a decoy WinDirStat site, masking the real download/link
  • Compromised sites are rotated and often show fake installers coexisting with web shells
  • The Python payload is obfuscated, and ThreatDown can detect/quarantine it to block C2 contact
  • Nitrogen has connections to ransomware activity, with threat actors using tools like Sliver before dropping ALPHV/BlackCat

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising leads to payload delivery via compromised WordPress sites. Quote: ‘The threat actors seem to have a preference for hosting their payloads on compromised WordPress sites, many of which are already hacked with malicious PHP shell scripts.’
  • [T1071.001] Web Protocols – The malware connects to its command and control server after execution. Quote: ‘connect to the attacker’s command and control server.’
  • [T1574.002] DLL Side-Loading – Nitrogen uses DLL side-loading via a signed executable to launch its payload. Quote: ‘Nitrogen uses DLL side-loading via a signed executable to launch its payload.’
  • [T1059.006] Python – The malware runs Python from a newly created folder under %appdata% and the Python file it executes is heavily obfuscated. Quote: ‘The Python file it executes is heavily obfuscated.’
  • [T1027] Obfuscated/Compressed Files and Information – The Python payload is heavily obfuscated. Quote: ‘The Python file it executes is heavily obfuscated.’

Indicators of Compromise

  • [Domain] windirsstat.net – decoy domain used for fake WinDirStat site and redirect during the malvertising campaign

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2024/01/nitrogen-shelling-malware-from-hacked-sites

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint