- WHEN: Information Accurate as of 7/27/2023
- WHO: This new malware appears to target those in the technology sector, like MSPs, based on the tools it attempts to appropriate
- WHAT: Nitrogen installs a malicious version of software like WinSCP (a tool utilized to connect to servers, such as Linux services with SSH enabled or file servers with FTP access).The ultimate goal is to drop ALPHV/BLackCat/Lockbit3.0 ransomware on the endpoint.
-
HOW DOES IT WORK? Malicious ads placed on Google/Facebook/Bing/etc. redirect to a very legitimate-looking site to download free software. As most people just click the first link of the software they want to download, this threat is easily propagated to victims.
The package comes down as an ISO file including “Installer.exe” and msi.dll (malicious payload). The payload references a python path in the “Music” directory (out of the ordinary) and schedules a “OneDrive Security Task” handled by Python (also out of the ordinary).
This payload deploys after the installation process and holds a strong foothold for the bad actors to move laterally through the network gaining access to key machines that they ransom.
- HOW TO PREVENT: In order to avoid this threat, utilize a prevention first mindset and do not rely solely on detection. This campaign is not detected by many vendors and prevented by even fewer. The solution leveraged by BLOKWORX can and does prevent this threat, ensuring you stay safe from the “unknown” threats, like this. MAED Partners can rest assured, they are safe.
