eSentire’s TRU team documents Nitrogen campaign 2.0 with enhanced capabilities, including transacted hollowing and AMSI/ETW/WLDP evasion, culminating in ALPHV/BlackCat ransomware deployments. The operation features drive-by downloads, staged payloads, a switch to Sliver C2, and extensive post-exploitation activity with multiple payloads and persistence mechanisms. #Nitrogen #ALPHV #BlackCat #Sliver #PyramidC2 #CobaltStrike #WinSCP
Keypoints
- Nitrogen campaign 2.0 introduces enhanced capabilities, including transacted hollowing and defense-evasion enhancements, leading to ALPHV ransomware deployment.
- Initial access often occurs via drive-by downloads from compromised sites or deceptive ads, including fake WinSCP installers.
- The infection chain uses an ISO with multiple files (data, foo.dll, msi.dll, setup.exe) and decrypts payloads via AES, base64, and Caesar cipher obfuscation.
- Persistence is established through scheduled tasks; payloads are dropped across folders and executed through renamed Windows installer binaries.
- Post-exploitation employs transacted hollowing for process injection (zen.dll, fid.dll) and loads pythonw.exe to run embedded payloads (slv.py, wo9/wo10/wo4.py) and connect to C2.
- C2 infrastructure shifts from Pyramid to Sliver, with Sliver C2 contacting servers such as 194.180.149:8443 and other endpoints; Cobalt Strike is also observed.
- Threat actors use PsExec and WMIC for lateral movement, Restic for exfiltration, and abuse multiple accounts (e.g., Administrator with password GoodLuck!).
- IDN/punycode domain tricks (fake WinSCP site) illustrate credential/phishing-like reconnaissance alongside network discovery commands.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial foothold via malicious payloads loaded from drive-by downloads. “gaining their initial foothold through malicious payloads from a drive-by download.”
- [T1059.001] PowerShell – Manual execution attempts of the Sliver payload within the PowerShell command line. “…attempts to manually execute the slv.py (Sliver payload) within the PowerShell command line.”
- [T1055] Process Injection – Transacted Hollowing used to create and inject into processes (spawning spoolsv.exe and dllhost.exe in suspended state). “transacted hollowing technique … to create and open the transacted file, CreateProcessInternalW to create the spoolsv.exe and dllhost.exe processes in a suspended state, and perform process injection by unmapping the process memory…”
- [T1027] Obfuscated/Compressed Files and Information – Strings obfuscated with Caesar cipher and data encrypted with AES; base64 and ChaCha cipher used for encryption/decryption. “strings are obfuscated using a simple Ceasar Cipher algorithm” and “base64-encoded string contains a nonce, an encrypted key, and a list of text strings encrypted using the ChaCha stream cipher.”
- [T1053.005] Scheduled Task/Job – Persistence via scheduled tasks; two scheduled tasks execute commands. “persistence mechanism via scheduled tasks” and “two scheduled tasks that execute the commands shown in Figure 6.”
- [T1071.001] Web Protocols – C2 communications over web protocols; Sliver connects to C2 servers. “connects to the C2 server at 194.180.48[.]149:8443.”
- [T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement using PsExec. “PsExec, and WMIC for lateral movement.”
- [T1047] Windows Management Instrumentation – Lateral movement using WMIC. “WMIC for lateral movement.”
- [T1562.001] AMSI Bypass – Defense evasion by bypassing AMSI, ETW, WLDP, and AntiHook. “bypassing the Antimalware Scan Interface (AMSI) … ETW and WLDP patching and AntiHook.”
Indicators of Compromise
- [File Hash] data (MD5: a2b4adedd0f1d24e33d82abebfe976c8) – used in the ISO payloads that decrypt to a ZIP containing additional payloads.
- [File Hash] foo.dll (MD5: 9aedc564960e5dddeb6524b39d5c2956) – loaded by msi.dll for decryption/loading.
- [File Hash] msi.dll (MD5: 8342db04a12dd141b23a20fd393bb9f2) – loaded via a modified msi.dll to load foo.dll.
- [File Hash] custom_installer.exe (MD5: 55144c356dbfaf88190c054011db812e) – payload decryptor and launcher, used for persistence via scheduled tasks.
- [File Hash] update.exe (MD5: e5da170027542e25ede42fc54c929077) – legitimate msiexec.exe renamed for execution of payloads.
- [File Hash] zen.dll (MD5: 6557a11aac33c4e6e10eeea252157f3e) – loaded by msi.dll; participates in transacted hollowing.
- [File Hash] fid.dll (MD5: 1f04ca6ffef0b737204f3534ff73575e) – used with zen.dll in transacted hollowing.
- [File Hash] slv.py (MD5: 88423cf8154ccc3278abea0e97446003) – Sliver payload launcher; decodes/executes obfuscated code.
- [File Hash] data.aes (MD5: d36269ac785f6b0588fbd7bfd1b50a57) – AES-encrypted data payload decrypted to obtain Sliver payload.
- [File Hash] wo9.py (MD5: 45d8598ff20254c157330dbdf5a8110b) – AES-encrypted embedded Cobalt Strike payload.
- [File Hash] wo10.py (MD5: 0200a95373be2a1851db27c96704fc11) – AES-encrypted embedded Cobalt Strike payload.
- [File Hash] wo4.py (MD5: 5462b15734ef87764ef901ad0e20c353) – AES-encrypted embedded Cobalt Strike payload.
- [File Hash] updateegge.py (MD5: 300ca3391a413faf0e5491898715365f) – decrypts dotae.aes to Sliver payload.
- [File Hash] dotae.aes (MD5: 4722f13c22abaa6045c544ee7dde3e5a) – encrypted data used to drop Sliver payload.
- [File Hash] Sliver payload (MD5: 9f1c9b28eaf00b9aec180179255d87c0) – final Sliver implant connecting to C2.
- [IP] Nitrogen C2 – 185.216.70[.]236:8443; 194.180.48[.]149:8443; 194.169.175[.]132; 194.180.48[.]169; 171.22.28[.]245:15159; 171.22.28[.]245:41337; 185.216.71[.]108
- [Domain] walfat[.]com – Cobalt Strike C2 server.
- [Domain] hxxp://xn—wnscp-tsa.net – Fake WinSCP hosting site used in phishing/recon.