The cybersecurity firm Sophos has discovered a new malware campaign named Nitrogen, where threat actors are utilizing Google ads and Bing ads to spread malware to targeted users. The attackers advertise popular tools like AnyDesk, WinSCP, TreeSize Free, and Cisco AnyConnect VPN through these ads. However, when users click on the ads, instead of being redirected to the official websites of these tools, they are sent to compromised WordPress websites or landing pages specifically designed for this campaign. On these compromised pages, users are offered to download installers, usually in the form of .ISO files.
The installers, while containing the legitimate software, also carry malicious software that downloads malware like Cobalt Strike or similar. This allows the attackers to gain access to the victim’s endpoint and install second-stage malware, which could range from information stealers to ransomware.
The researchers believe that the attackers are not targeting specific individuals or groups but are rather casting a wide net to infect as many users as possible. They also anticipate that the attackers may impersonate other software in the future to carry out their malicious activities.
At this time, the identity of the group behind the attack remains unknown. This campaign highlights the importance of being cautious while downloading software from online sources and being vigilant against potential malware attacks through advertising networks.
