An ongoing malvertising campaign is targeting IT administrators looking to download system utilities such as PuTTY (a free SSH and Telnet client) and FileZilla (a free cross-platform FTP application).
“We have reported this campaign to Google but no action has been taken yet,” , Malwarebytes researcher Jérôme Segura shared.
The campaign
Malicious ads served via Google, Bing, or other reputable websites deliver RATs, infostealers, loaders, and other malware that’s usually masquerading as legitimate software.
In this latest campaign, searching for “Putty” or FileZilla” on Google Search returns sponsored ads at the top of the search results, which point to cloaking pages, then to decoy sites if the server detects bot or crawler traffic or potential visits by security researchers.
The malicious ads pointing to cloaking domains (Source: Malwarebytes)
If the traffic looks like it’s coming from a potential victim, they are redirected to copycat sites impersonating the legitimate sites of those software projects. If the victim downloads the offered software they get Nitrogen malware instead.
“Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV,” Segura explains.
“The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL.”
Malvertising: A continuing threat
Malvertising has become such a pervasive threat that new campaigns are getting flagged every day.
The fact that almost identical malvertising campaigns delivering Nitrogen to IT professionals have repeatedly been spotted in the past year or so is a testament to their efficacy, as well as search engines’ ineffectual response to the malvertising problem.
“While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education,” Segura pointed out.
“Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks.”