Nitrogen Malware

It has been reported that a new malware called "Nitrogen" is targeting organizations for malicious activities. The attackers can infiltrate the compromised systems, carrying out unusual activities and extracting sensitive information such as passwords, banking details, and more. This is achieved by downloading malicious IT tools through deceptive ads on search engines.

Infection Mechanism

Nitrogen threat actors are targeting users searching for some specific IT tools /applications by exploiting search engines’ ads.

Whenever the user searches for IT tools such as TreeSize Free, AnyDesk, WinSCP, and Cisco AnyConnect etc. on the browser it shows malicious advertisements of legitimate tools and misleads users to download venomous installers.

Fig.-1- Winsccp[.]com is a malicious website mimicking the real WinSCP download page (winscp.net) [Source- Sophos]

Users are directed to compromised WordPress sites and phishing pages masquerading as legitimate software distribution websites through these ads.

Furthermore, it has been noted that certain geographic locations are targeted for phishing attempts. Interestingly, those who directly visit the malicious URLs are unexpectedly redirected to another webpage.

Fig.-2- An overview of Nitrogen infection chain [Source- Sophos]

Once the user unknowingly downloads the malicious ISO installer named "install.exe" from deceitful websites, these installers contain a dangerous DLL file named "msi.dll" that is secretly added to the system. This file then acts as the installer for the Nitrogen primary access malware.

Upon download, the installers initiate the execution of a malicious NitrogenInstaller DLL, discreetly concealed within a seemingly legitimate software application. This insidious DLL is accompanied by a perilous Python execution environment, which cleverly exploits Dynamic Link Library (DLL) preloading. Through this manipulation, the Python package executes the NitrogenStager file, establishing a connection to command-and-control (C2) servers operated by the threat actors. Subsequently, the NitrogenStager file deploys a Meterpreter shell and Cobalt Strike onto the unsuspecting targeted system.

Nitrogen malware uses the Cobalt Strike to attack the system as it is widely used in penetration testing. Cobalt Strike helps Nitrogen's threat actors possess the ability to mimic genuine user behavior, launch ransomware attacks, pilfer sensitive data, deploy various malware, etc.

Indicator of Compromise:

SHA 256

• 0af013ad0548b992d50287e3b11963cad9aa0af1f1e47e254637d28ee05208d8
• 0daf5c0f374e9a03fbe24dbcb4f0a24837a35bc2f0ca76ca35bb705f8c079486

IPs:

• 104.18.25[.]181
• 104.234.11[.]121

For more detailed list of IoC, kindly refer the URL:

• https://github.com/sophoslabs/IoCs/blob/master/Nitrogen%202023-07.csv

Best Practices and Recommendations:

• It is advisable for users to periodically check their system performance and CPU usage.
• Enterprises ought to take measures to prevent users from downloading pirated software from Warez/Torrent websites, as the presence of malware in "Hack Tool" found on sites like YouTube, Torrent sites, etc., is a concern.
• Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.
• Implement all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords.
• Implement multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Remove unnecessary access to administrative shares.
• Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
• Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
• Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configuration.
• Check regularly for the integrity of the information stored in the databases.
• Ensure integrity of the codes /scripts being used in database, authentication and sensitive system.
• Establish Domain-based Message Authentication, Reporting, and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Keep the operating system, third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
• Application white listing/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
• Maintain updated Antivirus software on all systems.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
• Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
• Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
• Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
• Restrict access using firewalls and allow only to selected remote endpoints, VPN may also be used with dedicated pool for RDP access.
• Use strong authentication protocol, such as Network Level Authentication (NLA) in Windows.
• Additional Security measures that may be considered are:
• Use RDP Gateways for better management.
• Change the listening port for Remote Desktop.
• Tunnel Remote Desktop connections through IPSec or SSH.
• Two-factor authentication may also be considered for highly critical systems.
• If not required consider disabling PowerShell / windows script hosting.
• Restrict users' abilities (permissions) to install and run unwanted software applications.
• Enable personal firewalls on workstations.
• Implement strict External Device (USB drive) usage policy.
• Employ data-at-rest and data-in-transit encryption.
• Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
• Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from CERT-IN empanelled auditors. Repeat audits at regular intervals.
• Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and Law Enforcement agencies.

References:

• https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen
• https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks
• https://www.pcrisk.com/removal-guides/27367-nitrogen-malware
• https://www.darkreading.com/vulnerabilities-threats/-nitrogen-ransomware-effort-lures-it-pros-via-google-bing-ads