BlackCat ransomware gang attacks corporations, public entities in malvertising campaign

The notorious ransomware group BlackCat/ALPHV is attacking corporations and public entities in the Americas and Europe in a malvertising campaign, researchers from cyber security company eSentire have warned. A Russian-speaking affiliate of the gang behind the $100 million MGM Resorts cyber attack has adopted new attack tactics to infect targets – using Google Ads to deliver Nitrogen malware, according to eSentire.

The crime network has attempted to breach various organizations in the last three weeks including a law firm, a manufacturer and a warehouse provider, eSentire said. This is a continuation of a campaign first spotted in June, it added.

BlackCat/ALPHV is known to have employed some of the most ruthless extortion tactics ever seen, such as leaking photos of breast cancer patients. The gang first appeared on the ransomware scene in November 2021 and currently lists 170 victims on their name and shame page, ranking them the third most active ransomware gang behind Clop and LockBit. The group typically achieves initial access into their victims’ IT networks through one of three ways: valid credentials, exploitation of remote management and monitoring services and browser-based attacks. This year, however, an affiliate has expanded into malvertising to execute browser-based attacks, eSentire researchers wrote in a blog.

Ransomware group using Google Ads to spread Nitrogen malware

The threat actor is taking out Google Ads promoting popular software such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect to lure business professionals to attacker-controlled websites, eSentire said. Thinking they are downloading legitimate software, business professionals are actually downloading the Nitrogen malware – an initial-access malware that leverages Python libraries for stealth. “This foothold provides intruders with an initial entry into the target organization’s IT environment. Once the hackers have that initial foothold, they can then infect the target with the malware of their choosing.” In the case with this attack campaign, the target victims are being infected with the BlackCat/ALPHV ransomware, according to Keegan Keplinger, senior threat intelligence researcher at eSentire’s Threat Response Unit (TRU).

“The Nitrogen malware leverages obfuscated Python libraries that compile to Windows executables,” said Keplinger. “These libraries are useful for legitimate use cases – such as optimizing Python code – but they are also being used to develop malicious malware loaders that can load intrusion tools directly into memory.”

Browser-based cyber attacks an increasing threat

Ransomware threat groups are continuing to expand into the browser-based cyber threat landscape, in which users unknowingly download and execute malware while browsing the internet. “This isn’t casual internet browsing: employees are often carrying out business-related tasks on the internet searching for tools to increase their productivity. Threat actors are aware of the need for these tasks and intentionally get in front of them with malware,” Keplinger warned.

The newest attack surface is browser-based downloads and businesses should add browser-based awareness to their security training programs. “The latest browser-based cyber attacks aren’t just inconveniences or annoying malware created by beginners – these attacks lead to hands-on-keyboard ransomware attacks, in which threat actors manually intrude the network and position themselves to deploy ransomware to as many endpoints as possible,” added Keplinger.

Endpoint monitoring is the most important element of browser-based threat mitigation, he advised. “Additionally, when attacks have progressed into ransomware deployment, it was often because of the lack of endpoint coverage for a segment of the network – so organizations must make sure to fully deploy endpoint solutions to all of their endpoints.”

Beyond a robust endpoint monitoring program, it’s important for businesses to ensure they are capturing and monitoring logs for systems that don’t support endpoint monitoring. VPNs are a well-known example, but even servers such as Domain Controllers, Citrix, IIS and mail servers won’t share pertinent information with endpoint agents and require additional logging to track when threat actors abuse these systems or hide in the VPN pool, Keplinger said.

Learn more about how proactive threat hunting improves cyber resilience by downloading Cyber Security Hub’s recent report.