Threat Research

Nitrogen – ThreatDown by Malwarebytes

Securonix

Nitrogen is delivered via a malvertising campaign that uses a Google ad impersonating Advanced IP Scanner to lure administrators, leading to a malicious download. The Nitrogen malware provides initial access for a ransomware deployment linked to the BlackCat/ALPHV operation.
#Nitrogen #ALPHV #BlackCat #AdvancedIPScanner

Keypoints

  • Malvertising is used to lure potential victims with an ad for a legitimate tool (Advanced IP Scanner).
  • Decoy/cloaking pages and AI-assisted decoys are used to impersonate the real site and trick Google users.
  • Clicking the ad leads to a download of IP_Scanner_v.3.5.2.1.zip from a suspicious WordPress site, followed by a legitimate-appearing setup.exe that sideloads a malicious DLL.
  • Nitrogen is used as an initial access vector for a larger attack chain that culminates in ransomware deployment (associated with BlackCat/ALPHV).
  • ThreatDown reports protections and mitigations: phishing site detection, AI-based DLL signature, and C2 detection, plus ad scrutiny and internal software repositories.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising, the use of ads to deliver malware, has become very popular in the past couple of years. ‘Malvertising, the use of ads to deliver malware, has become very popular in the past couple of years.’
  • [T1218.011] Signed Binary Proxy Execution: Sideloading – While the setup.exe file is legitimate, it sideloads a malicious DLL (python311.dll) which calls back to a command control and server. ‘While the setup.exe file is legitimate, it sideloads a malicious DLL (python311.dll) which calls back to a command control and server.’
  • [T1105] Ingress Tool Transfer – We press the download button and a file called IP_Scanner_v.3.5.2.1.zip is retrieved from what looks like a WordPress site. ‘We press the download button and a file called IP_Scanner_v.3.5.2.1.zip is retrieved from what looks like a WordPress site.’
  • [T1071.001] Web Protocols – The malicious DLL calls back to a command and control server (C2). ‘calls back to a command control and server’
  • [T1036] Masquerading – Impersonation of legitimate sites with cloaking and decoy domains; real site vs fake site. ‘Real site: advanced-ip-scanner[.]com’ and ‘Fake site: advanced-ip-scan[.]org’

Indicators of Compromise

  • [Domain] Cloaking/decoy site – saltysour[.]com, and impersonation domain advanced-ip-scan[.]org
  • [Domain] Phishing site – advanced-ip-scan[.]org
  • [URL] Payload URL – giaoanso[.]com/wp-includes/IP_Scanner_v.3.5.2.1.zip
  • [SHA256] Payload – e2ee4d4798f74639686206770b4782ded7a63e7516602efbf9ef53ce00a8e3f8
  • [SHA256] Nitrogen – 26c9be484d40491f190b771b3c412a7474f0da719df3ce17e7f057ac9e48e429
  • [IP] Nitrogen C2 – 91.92.249[.]89

Read more: https://www.threatdown.com/blog/nitrogen-05-03-2024/