BlackCat affiliate seen using malvertising to spread ransomware

An affiliate member of the ALPHV/BlackCat ransomware cartel has turned to malvertising techniques beloved of fraudsters to compromise its victims, masking its payloads as legitimate software downloads including Advanced IP Scanner, Cisco AnyCOnnect, Slack and WinSCP, and buying Google ads to lure in victims.

The ALPHV/BlackCat ransomware-as-a-service operation has been linked to recent cyber heists including attacks on two Las Vegas casinos, an international cosmetics firm, and a prominent NHS Trust.

Historically, the group’s members use fairly standard methods of achieving initial access to its networks, either through stolen valid credentials, exploitation of remote management and monitoring services, and browser-based attacks.

The latest twist in BlackCat’s tale comes after researchers from eSentire’s Threat Response Unit (TRU) responded to a number of intrusions within its customer network in which unsuspecting business users were drawn to attacker-controlled websites via fake Google ads bought by the affiliate.

Once lured in, explained Keegan Keplinger, TRU senior threat researcher, the victims unwittingly downloaded not the product they thought they were getting, but the Nitrogen malware.

“Nitrogen is initial-access malware that leverages Python libraries for stealth,” explained Keplinger in a newly published disclosure blog. “This foothold provides intruders with an initial entry into the target organisation’s IT environment. Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing.”

Nitrogen is so-named after an artefact found in the naming convention used by the ransomware operator. It is unique among initial access malwares in that it uses highly obfuscated Python libraries to skirt the victim’s security controls.

This is possible, said Keplinger, because Python libraries are legitimate tools – often known as living-off-the-land binaries or LoLBins – and typically do not raise suspicion. This also makes it more difficult for investigators to figure out what happened after an incident goes down.

In the incidents the TRU teams responded to, the activity was stopped before an actual ransomware attack could be deployed.

However, warned Keplinger, because much security awareness training still centres malicious email attachments, browser-based malware downloads are gaining traction as an access vector, and this could be particularly damaging to organisations where end-users are free to download their own software.

“Organisations need to start including browser-based attacks, including those that use fake advertising, as part of user awareness training. Browser-based attacks are increasingly leading to hands-on ransomware intrusions and infostealers that enable ransomware intrusions later,” wrote Kepliner.

“Make sure you are implementing attack surface reduction rules around script files such as .js and .vbs, but keep in mind that when these attacks arrive in .ISO files, the ‘Mark of the Web’ is lost so Attack Surface Reduction rules won’t detect the files from the internet.”

“Employ endpoint monitoring to ensure you can catch malicious execution, when social engineering attacks bypass user scrutiny – and make sure that endpoint coverage is fully comprehensive. TRU has observed a tendency for ransomware attacks to make it further down the kill-chain when they begin on endpoints that are out of scope for endpoint monitoring.

“[Also] employ logging to ensure you are capturing telemetry – especially for devices and services that don’t support an endpoint agent, including VPN, device enrollment, and server software for applications that don’t generate endpoint telemetry, like Citrix, IIS, and cloud services,” he added.