Into the tank with Nitrogen

MITRE Techniques

• [T1583.008] Acquire Infrastructure: Malvertising – The Nitrogen campaign uses Google and Bing PPC ads to impersonate legitimate software pages and deliver trojanized installers. “The Nitrogen malvertising campaign leverages Google and Bing Pay-per-Click (PPC) advertisements to impersonate legitimate-looking websites and trick users into downloading malicious Windows Installer files.”
• [T1583.001] Acquire Infrastructure: Domains – The infection chain relies on domains and page redirects to host/offload malicious content. “The infection chain starts with malvertising via Google and Bing Ads to lure users to compromised WordPress sites and phishing pages impersonating popular software distribution sites.”
• [T1584.001] Compromise Infrastructure: Domains – Compromised hosting (e.g., WordPress sites) delivering trojanized installers. “hosted on seemingly compromised WordPress sites, such as mypondsoftware[.]com/cisco (which mimics the legitimate Cisco download site).”
• [T1608.001] Stage Capabilities: Upload Malware – The Nitrogen staging process involves dropping a Meterpreter shell and Cobalt Strike beacons onto the target. “to drop both a Meterpreter shell and Cobalt Strike Beacons onto the targeted system.”
• [T1588.002] Obtain Capabilities: Tool – The Nitrogen components relate to the Metasploit Framework (MSF) used to generate reverse-shell payloads. “the components indicate a relation to the Metasploit Framework (MSF), which is leveraged … to generate the reverse shell scripts used in NitrogenStager.”
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – The attack uses DLL sideloading with DLL proxying to mask execution. “DLL sideloading is a popular tactic… the threat actors use another tactic … DLL proxying by forwarding exported functions… to the legitimate msi.dll.”
• [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence via a scheduled task named “OneDrive Security.” “a related scheduled task named “OneDrive Security” pointing to the binary C:UsersPublicMusicpythonpythonw.exe, which has an execution interval of five minutes.”
• [T1069.002] Permission Groups Discovery: Domain Groups – Manual sessions enumerate domain groups. “net group “Workstation Admins” /domain” and related entries.
• [T1552.002] Unsecured Credentials: Credentials in Registry – Persistence via a registry Run key storing a Python launcher. “registry run key … named ‘Python’.”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Registry Run key used for persistence. “creates a registry run key to establish persistence.”
• [T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass – Mentioned in the MITRE mapping for techniques used to bypass trust boundaries.