November 16, 2023 at 09:48AM
ALPHV/BlackCat ransomware-as-a-service affiliates are resorting to malvertising campaigns to gain initial access to victims’ systems. They are using paid ads for popular business software like Slack and Cisco AnyConnect to trick corporate victims into downloading Nitrogen malware, which can then be used to deploy ransomware. eSentire’s Threat Response Unit has observed this new tactic associated with Nitrogen malware. The group has a history of targeting healthcare organizations and engaging in despicable activities such as the extortion of a healthcare network and the posting of topless images of breast cancer patients. Malvertising has become increasingly popular among cybercriminals, with Google facing criticism for not proactively addressing the issue.
Key takeaways from the meeting notes:
1. Affiliates of the ALPHV/BlackCat ransomware-as-a-service operation are now using malvertising campaigns to gain access to victims’ systems.
2. Paid advertisements for popular business software like Slack and Cisco AnyConnect are being used to entice corporate victims into downloading malware.
3. Instead of legitimate software, victims are infected with Nitrogen malware, which serves as an initial access payload for launching further attacks, including ransomware deployment.
4. eSentire’s Threat Response Unit (TRU) has been engaged by the ransomware group’s affiliates after targeting its customers on multiple occasions.
5. Nitrogen malware campaign was first observed in June, and the malvertising tactic associated with Nitrogen is new.
6. Nitrogen malware leverages Python libraries for stealth, allowing attackers to blend into an organization’s normal traffic patterns.
7. eSentire managed to stop a BlackCat ransomware attack, but the group has a history of targeting healthcare sectors and engaging in malicious activities.
8. Malvertising has become a popular method for cybercriminals, with Google being criticized for not proactively preventing malicious ads from appearing in search results.
9. Malware campaigns like IcedID, BatLoader, and Rhadamanthys Stealer have utilized malvertising for attacks recently.
10. Microsoft has identified the Russian cybercrime group Storm-0381’s heavy use of malvertising for Magniber deployments.