The Google Ads network faces another breach, as malevolent actors exploit it to distribute Nitrogen, an initial access malware. This malware serves as a gateway for deploying ALPHV (also known as BlackCat), a highly pervasive and damaging ransomware variant.
Recent findings by eSentire highlight a fresh campaign directed at corporations and public entities in the Americas and Europe. Over the past three weeks, these affiliates targeted a law firm, a manufacturer, and a warehouse provider within our customer network, while also launching attacks on various other companies, as revealed by the researchers.
Persistent Tactics
While the ongoing campaign may seem novel, its methods remain familiar. Hackers compromise Google accounts through malware, social engineering, or dark web credential purchases. They then create deceptive landing pages, posing as reputable brands and offering sought-after software like Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect.
Subsequently, these cybercriminals launch ads on the Google network to promote these fraudulent landing pages. Unsuspecting victims, thinking they’re downloading legitimate software, unknowingly introduce Nitrogen to their endpoints.
Nitrogen serves as a conduit for deploying BlackCat, enabling the theft of sensitive data and encryption of all files within the target network. The final phase involves a ransom demand, offering a decryption key, and preventing data leakage.
Keegan Keplinger, Senior Threat Intelligence Researcher at TRU, notes that this campaign mirrors the observed activities in June 2023. It’s crucial to highlight that BlackCat operates as Ransomware-as-a-Service (RaaS), allowing any of its numerous affiliates to orchestrate such campaigns.
