Nitrogen Ransomware Effort Lures IT Pros via Google, Bing Ads


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Hackers are planting fake advertisements - "malvertisements" - for popular IT tools on search engines, hoping to ensnare IT professionals and perform future ransomware attacks.

The scheme surrounds pay-per-click ads on sites like Google and Bing, which link to compromised Wordpress sites and phishing pages mimicking download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the actual software they intended, alongside a trojanized Python package containing initial access malware, which the attackers then use to drop further payloads. Researchers from Sophos are calling the campaign "Nitrogen." It has already touched several technology companies and nonprofits in North America. Though none of the known cases have yet been successful, the researchers noted that "hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months."

"The key thing here is that they're targeting IT people," says Christopher Budd, director of Sophos X-Ops. Skipping right to the people closest to an organization's most sensitive systems, he says, "is actually a fairly efficient and effective way of targeting."
It might seem risky to target IT professionals - folks with, presumably, the technical savvy to snuff out phishing attacks. Budd acknowledges that "the hit rate may be on the low side, because it is a more sophisticated audience. But the return, because of the sensitivity of that audience" - namely, their proximity to the most sensitive systems in a corporate network - "may be higher on those fewer hits, thus making it worthwhile."

What might the hackers do with such sensitive access? Budd stopped short of ascribing specific intentions, but he noted a report published last month by Trend Micro, which appears to map to the Nitrogen campaign. In that case, the attackers used their malvertising-enabled access to drop BlackCat ransomware onto their target's network.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.