The “Nitrogen” ransomware campaign, a new malicious scheme identified by Sophos, targets IT professionals by using fake advertisements for popular IT tools on Google and Bing. Clicking on these fraudulent ads, coined as “malvertisements”, leads users to compromised WordPress sites and phishing pages imitating software download pages such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. The downloaded software comes bundled with a trojanized Python package containing initial access malware, setting the stage for further attacks.
Although no successful cases have been documented, numerous technology companies and nonprofits in North America have been affected. The campaign highlights a unique strategy of directly targeting IT personnel who are closest to an organization’s sensitive systems. The criminals are betting on the high potential returns, despite the low hit rate, due to the targeted audience’s proximity to critical network infrastructure.
While the exact intentions of the attackers are not clear, it’s believed that access might be used to plant ransomware into the target’s network. Therefore, IT professionals are advised to exercise extreme caution when downloading software tools, ensuring they visit the legitimate sites directly and verify the HTTPS certificate before downloading any tools.