A dangerous new malware campaign dubbed “Nitrogen” has been identified. It uses Google and Bing advertisements to deploy malware and ransomware more widely.
Google and Bing are victims of a new campaign aimed at distributing malware via advertisements on the two search engines. The goal of this malware is to gain initial access to corporate networks, thereby allowing hackers to steal data, carry out cyber espionage operations and deploy ransomware.
The campaign primarily targets technology companies and nonprofits in North America, disguising itself as popular software applications such as AnyDesk, Cisco AnyConnect VPN, TreeSize Free and WinSCP. When users search for these apps on Google or Bing, they see advertisements appearing extolling the merits of this software, but they are in fact decoys.
Read also – Google Chrome: quickly uninstall these extensions, they contain malware!
Google ads fall victim to malware
If users click on these advertisements, they are redirected to bogus websites that look a lot like legitimate software download sites. They unknowingly download infected ISO installers there that contain a malicious DLL file called “msi.dll”.
This malicious DLL, known as “NitrogenInstaller”, is responsible for installing the application promised to avoid suspicion and a malicious Python package. It then creates an execution key in the registry, ensuring that the malware stays on the victim’s system.
The malware’s Python component then establishes communication with the threat actor’s command-and-control server, allowing it to take control of the victim’s system. Attackers can then perform various malicious actionssuch as remotely installing information-stealing software and even ransomware.
Hackers use malware to install ransomware
The end goal of the attackers is not entirely clear, but the chain of infection suggests that they prepare compromised systems for the deployment of ransomware. Here, it is ultimately the victims who end up compromising their own devices. In many cases, they even ignore warnings from their anti-virus programs, considering them false positives, becausethey think they accessed the page through their trusted search engine.
Some netizens strongly believe that the corporate filtering system works well and it is impossible to pass a malicious campaign, but some hackers sometimes end up finding loopholes in the tech giants’ controls.
This isn’t the first time that Google’s ads have been used to spread malware, as other cybercriminals had already launched a similar campaign last year. Grammarly, MSI Afterburner and Slack were impersonated to trick people into installing IceID and Raccoon Stealer, well-known malware and information thieves.
The best way to stay safe is to always be alert, even when searching Google and Bing, or clicking on advertisements from known ad networks. To protect against this type of attack, users are advised to avoid clicking on highlighted results in search engines when downloading software. It is better to download software by directly going to the developer’s official website.
While Google still suffers from some malicious campaigns on its search engine, these should soon become rarer on Android, thanks to a change to the Play Store.
