Nitrogen Malware Bonds to the Trend of Impersonating Popular Software

Category: Malware Campaign | Industries: Non-profit organizations, Technology | Source: Sophos

Through malvertising and impersonating downloads of popular software, an initial access malware tracked as Nitrogen is being used to deliver Cobalt Strike against technology and non-profit organizations located in North America. According to researchers from Sophos, the Nitrogen infection chain has been identified as a precursor to ransomware deployment, as a previous Nitrogen infection analyzed by Trend Micro, led to the deployment of the BlackCat ransomware. The Nitrogen malware family consists of the following main components: NitrogenStager, MsfPythonStager, and NitroInstaller. Based on these components, Sophos suspects a "relation to the Metasploit Framework (MSF), which is leveraged in the Nitrogen campaign to generate the reverse shell scripts used in NitrogenStager."

Nitrogen infections are initiated through Google or Bing Ads, disguising themselves as commonly used tech utility software like AnyDesk, WinSCP, TreeSize Free, or a setup file for Cisco's AnyConnect VPN. An anti-analysis component is incorporated in the campaign, redirecting researchers to Rick Astley’s 'Never Gonna Give You Up' YouTube video when they directly visit the phishing page instead of accessing it through the advertisement. Upon the initial download, an ISO file is mounted and hosts an executable file named 'install' or 'setup,' which is actually a renamed msiexec executable and a DLL file. Upon execution of the install/setup file, the DLL recognized as NitrogenInstaller is sideloaded. This installer drops a legitimate version of the downloaded application; however it serves as a decoy with two Python packages downloaded to progress the infection.

NitrogenInstaller will also abuse Cmstp to elevate its privileges through UAC bypass and establish persistence through the AutoRun registry key and a scheduled task. From there, the NitrogenStarger can abuse DLL search-order hijacking and connect to their command and control (C2), paving the way for a Meterpreter shell and/or Cobalt Strike activity. During the manual portion of the infection, Sophos observed the threat actors downloading additional payloads, gathering credentials, and enumerating the network.

‍