Cybercriminals have used the Nitrogen ransomware campaign to target victims through fake online ads.
Nitrogen Ransomware
They trick users into downloading fake software, like a fake “WinSCP” installer, promoted through malicious ads on platforms like Bing.
In one case, a user searching “WinSCP download” on Microsoft Edge was redirected from ftp-winscp[.]org to a hacked WordPress site.
That site hosted a harmful ZIP file named WinSCP-6.3.6-Setup.zip, which included real DLL files along with a dangerous one called python312.dll designed to infect the system.
When run, the file used DLL sideloading to install WinSCP visibly, while secretly loading the NitrogenLoader DLL in the background. This gave attackers a way into the system and later led to the deployment of BlackCat ransomware.
Deeper analysis showed that attackers used Cobalt Strike, a well-known hacking tool, to move through networks and stay hidden.
On the first infected systems (“patient zero”), files like Intel64.exe and tcpp.exe were found. Tools like THOR flagged these as suspicious based on known patterns, including a repeated XOR key (0x2e).
Using tools like CyberChef and Sentinel One’s CobaltStrikeParser, investigators uncovered internal IPs and beacon traffic. The attackers used trusted processes like gpupdate.exe to hide their activity and run malicious code.
A watermark (678358251) connected the attack to groups like Black Basta, showing shared infrastructure across campaigns.
Attackers tried to hide their activity by clearing key Windows event logs (Security, System, and PowerShell).
Still, investigators found clues in User Access Logging (UAL) and Windows Error Reporting (WER) crash dumps. Tools like WinDBG revealed signs of lateral movement and Cobalt Strike inside memory from processes like svchost.exe.
Advanced Forensics Reveal Hidden Threats
Investigating these attacks required advanced forensic tools and techniques. Automated solutions like Velociraptor were used for quick triage, while experts manually analyzed crash dumps and memory structures such as the Process Environment Block (PEB).
Using tools like bstrings.exe, analysts pulled out key details from crash dumps, including Cobalt Strike communication patterns and team server URLs. YARA rules also helped identify harmful files hiding in memory.
Even with obstacles like missing memory data due to system paging, analysts found enough evidence—suspicious files, encrypted configs, and network activity—to confirm the persistent danger of the Nitrogen campaign.
As tools like THOR continue to improve, with version 11 adding new ways to spot Cobalt Strike, defenders must prepare for even more advanced attacks.
To stay safe, organizations should strengthen defenses against malvertising, watch for unusual DLL activity, and preserve forensic data that can help uncover threats early. Ransomware campaigns are becoming more deceptive, often hiding behind trusted software downloads and advanced attack tools.
Leave A Comment