Cyber Security Threat Summary:
ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

Nitrogen malware uses obfuscated Python libraries to compile Windows executables. There are legitimate uses for these libraries, but in this case, that attackers are using them to develop malware loaders that can load malicious tools directly into memory.

The research, which comes from security company eSentire, details these tactics after the researchers were able to thwart attempts by the group to breach a law firm, a manufacturer, and a warehouse providers over the past three weeks.

Security Officer Comments:
BlackCat is one of the more prominent ransomware groups we monitor. Notably, the group was responsible for the recent $100 million dollar ransom against MGM Resorts. This tactic of malvertising, while not new, has not previously been observed in use by this ransomware gang. Malvertising has become increasingly popular with cybercriminals, often using popular free software products to lure victims to attacker controlled web pages. Popular software include things like NotePad ++, Audacity, VLC Player, Libre Office, CCleaner, and more.

BlackCat is said to be related to other prominent ransomware strains like REvil, DarkSide, and BlackMatter. They receive support from various affiliates like FIN7, UNC2565, and Scattered Spider.

Suggested Correction(s):
Organizations can block end users ability to directly download applications to their machines. Training may be required to raise awareness against the growing threat of browser-based downloads. Users should avoid downloading software from third-party websites, and when possible, file hashes should be checked to ensure versions are legitimate. It is not uncommon for these malicious software executables to actually run the program, while malicious code is introduced in the background.

Link(s):
https://www.esentire.com/blog/