Official forum for Utopia Community
You are not logged in.
It has been discovered that a new malvertising campaign targets users looking for IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP and tempts them into downloading trojanized installers with the goal of breaching enterprise networks and potentially launching future ransomware attacks.
According to a Wednesday analysis by Sophos, the "opportunistic" activity known as Nitrogen is intended to deploy second-stage attack tools like Cobalt Strike.
When Nitrogen was first discovered by eSentire in June 2023, it described a chain of infections that sent users to hacked WordPress sites hosting malicious ISO image files, which then resulted in the distribution of Python scripts and Cobalt Strike Beacons to the targeted system.
Later on in the month, Trend Micro discovered a similar attack chain in which a phony WinSCP application served as a springboard for a BlackCat ransomware attack.
According to researchers at Sophos Gabor Szappanos, Morgan Demboski, and Benjamin Sollman, "Throughout the infection chain, the threat actors use unusual export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.".
Once activated, the Python scripts create a Meterpreter reverse TCP shell that enables threat actors to remotely execute code on the infected host and download a Cobalt Strike Beacon to aid in post-exploitation.
The researchers stated that threat actors have started to use pay-per-click advertisements that are displayed in search engine results frequently. The threat actors are attempting to attract unsuspecting users looking for specific IT utilities by casting a wide net. ".
Malvertising.
The findings also take place against a backdrop of an increase in cybercriminals using paid advertisements to trick users into visiting malicious websites and downloading various malware such as BATLOADER, EugenLoader (also known as FakeBat), and IcedID, which are then used to spread information stealers and other payloads.
The situation was made worse, according to Sophos, by sellers offering compromised Google Ads accounts and a "significant number of advertisements for, and discussion about, SEO poisoning, malvertising, and related services" on well-known criminal marketplaces.
This shows "marketplaces users have a keen interest in SEO poisoning and malvertising," and it also "negates the difficulty of trying to bypass email filters and convincing users to click a link or download and open an attachment.". ".
Offline
It's crazy with the different used by online theft to steal people by making them download a trojanized installers just to launch ransomware attacks in the future.
It is now the moment people need to familiarize themselves with genuine websites.
Offline