ALPHV/BlackCat ransomware deployed by new Nitrogen malware

North American technology and non-profit organizations have been targeted by the novel Nitrogen initial access malware campaign, which leverages web search ads of fake software websites to facilitate the delivery of ALPHV/BlackCat ransomware, BleepingComputer reports. Threat actors behind the campaign have been using Google or Bing search results for widely used software, including AnyDesk, Cisco AnyConnect, WinSCP, and TreeSize Free, to lure potential victims into visiting fraudulent sites that feature trojanized ISO installers, which sideloads a malicious DLL file that later installs the Nitrogen malware, according to a Sophos report. Further analysis of the NitrogenInstaller revealed the presence of the "Python" registry key for persistence and the execution of "NitrogenStager," which establishes command-and-control server communications and deploys Cobalt Strike beacons and a Meterpreter shell. While Sophos researchers have not determined the goal of the attackers behind the campaign, Trend Micro researchers previously noted the use of a similar attack chain to facilitate ALPHV/BlackCat ransomware delivery.