Nitrogen Malware: BlackCat’s New Weapon in Disguised Advertising Attacks

Cybercriminal syndicates operating under the extortionate BlackCat (ALPHV) operation have adopted a new tactic — utilizing malicious advertising to gain initial access to victim systems.

Disguised as popular business software, such as the corporate messenger Slack or Cisco’s VPN client AnyConnect, the malefactors distribute the Nitrogen malware, which serves to establish initial control over the system and subsequently launch the ransomware.

According to the eSentire threat response team, its clients have repeatedly been targeted by ALPHV/BlackCat-affiliated groups. The Nitrogen malware was first recorded in June, but the use of malicious advertising for its distribution marks a new tactic.

“Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organization’s IT environment. Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing.” explains Keegan Keplinger, Senior Threat Researcher at eSentire.

Once the hackers are entrenched in the network of the targeted company, they can infect it with any malicious software of their choosing. In the operation under review, this software was the ALPHV/BlackCat ransomware.

The use of popular Python libraries helps to conceal intrusion traces in regular traffic. Meanwhile, additional obfuscation methods further complicate the detection of the attack.

The BlackCat group is known in the cybercriminal community for its near-total lack of honor and moral principles. For instance, the gang’s ransomware has been used in attacks on medical institutions, which many cybercriminals consider unacceptable. Earlier this year, the hackers even attempted to blackmail a hospital by publishing nude photographs of breast cancer patients.

In contrast, the ransomware group LockBit has repeatedly issued public apologies for its affiliates’ actions. For example, in January, the hackers provided a decryptor to a mistakenly attacked children’s hospital in Canada, and in April, a similar situation occurred for the American school district Olympia Community Unit 16.

Returning to the BlackCat group, it is noteworthy that they have recently shown a desire to develop and strengthen their position. The group’s leaders recently welcomed the hacker group Octo Tempest into their partner program, whose rich experience in SIM swapping, SMS phishing, and social engineering proved attractive enough for BlackCat to offer collaboration.

Thus, despite the security measures taken, BlackCat continues to evolve and adapt to new conditions. Their latest tactic with malicious advertising demonstrates the group’s sophistication and flexibility.

Companies need to enhance monitoring for suspicious activity and invest in robust protection measures to avoid becoming the next victim of this unscrupulous group of cyber criminals.