Cybersecurity experts from Sophos recently announced the discovery of a new malware campaign dubbed Nitrogen. In the campaign, the threat actors were using Google ads and Bing ads to advertise popular tools, such as AnyDesk (a remote desktop tool), WinSCP (SFTP/FTP client for Windows OS), TreeSize Free (free-disk-space manager) and Cisco AnyConnect VPN.
When a victim searches for any of these tools (or finds the ad anywhere on the web where Google and Bing ads are shown) and clicks on the ad, however, they don’t get redirected to the official websites belonging to these products. Instead, they get sent to compromised WordPress websites (or landing pages designed specifically for the purpose of the campaign) where they get offered to download the installers (usually .ISO files).
The installers are in some cases legitimate, but bundled with malicious software which ends up downloading nasties such as Cobalt Strike, or similar. This gives the attackers access to the target endpoint and allows them to install second-stage malware, which can be pretty much anything from infostealers, to ransomware.
The researchers believe that the attackers are not looking to gain access to computers belonging to any specific group or individual – they’re just casting a wide net and seeing who gets caught in it. They also believe that it’s highly likely the attackers will impersonate other software in the future, as well. The name of the group behind the attack is not known at this time.
Analysis: Why does it matter?
This is not the first, and most likely won’t be the last hacking campaign abusing legitimate advertising networks such as Google Ads and Bing Ads to deliver malware to its victims. Earlier this year, researchers from SecureWorks warned of a campaign called Bumblebee that leveraged Google Ads to deliver malware. This campaign tried to infect people searching for software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Just a few months prior, in February, researchers from SentinelLabs warned about a Google Ads campaign used to drop Formbook, a known infostealer. In this example, hackers went after people looking for Blender 3D software. In December last year, Grammarly, MSI Afterburner, and Slack, were all impersonated to get people to install IceID and Raccoon Stealer, all known malware and infostealers.
What makes this type of attack so popular is the immense trust these advertising platforms enjoy with the general public. Google Ads and Bing Ads are mostly perceived as trusted, with internet users firmly believing the companies’ filtering system works well and that it’s impossible to squeeze a malicious campaign through. While that’s mostly true, and hundreds, if not thousands, of malicious campaigns being blocked by the service providers, some manage to squeeze through. With trust at such a high level, many people don’t look twice when clicking on the search engine result spot reserved for paid advertising and don’t double-check the address bar of the website they’ve just opened.
As a result, it’s the victims who end up compromising their own devices. In many cases, they will even ignore the warnings from their antivirus programs, dismissing them as false positives, due to the fact that they’ve navigated to the page via their trusted search engine. The best way to stay safe is to always be on alert, even when searching on Google and Bing, or clicking on ads from known ad networks.
What have others said about the campaign?
When SecureWorks published its report on a similar campaign, its Director of Intelligence, Mike McLellan, explained at the time that as many as 1% of all online ads contain malicious content. McLellan described the typical scenario during which a victim is attacked: rather than downloading software via a company’s IT team, many remote workers are taking control and heading online themselves, unaware of the potential risks. McLellan explained that the findings demonstrated the importance of companies having strict policies in place for restricting access to web ads and managing privileges on software downloads.
In its writeup about the report, BleepingComputer said that the researchers discovered the end goal of the campaign was to deliver ALPHV or BlackCat. This is a known ransomware strain used in some of the biggest ransomware attacks out there.
Sophos added that to stay safe, users should always be aware of served advertisements from search engines and use ad-blocking extensions. Alternatively, users can run the defaults in browsers with built-in ad-blocking capabilities. “When choosing an ad-blocker, we recommend opting into those that allow you to block “non-intrusive advertising,” thus restricting ads that search engines post on their own sites,” they added. Finally, users should consider restricting the capability to mount virtual file systems via Group Policy Objects, and be aware of downloading “abnormal” file extensions.
If you want to learn more, start by checking out our guide for the best endpoint protection, as well as best firewalls. Also, you can check out our in-depth guide on the best online marketing services out there.