cyware: IT pros targeted with malicious Google ads for PuTTY, FileZilla – Help Net Security

Summary: An ongoing malvertising campaign is targeting IT administrators looking to download system utilities such as PuTTY and FileZilla, redirecting them to copycat sites that deliver Nitrogen malware instead.

Threat Actor: Nitrogen | Nitrogen
Victim: IT administrators | IT administrators

Key Point :

  • An ongoing malvertising campaign is targeting IT administrators looking to download system utilities such as PuTTY and FileZilla.
  • The campaign delivers Nitrogen malware through malicious ads served via Google, Bing, or other reputable websites.
  • If the traffic looks like it’s coming from a potential victim, they are redirected to copycat sites impersonating the legitimate sites of those software projects.
  • Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware.
  • Malvertising has become a pervasive threat, with new campaigns being flagged every day.
  • Search engines’ response to the malvertising problem has been ineffective.
  • User education and endpoint protection are recommended to mitigate the risk of malicious ads.

An ongoing malvertising campaign is targeting IT administrators looking to download system utilities such as PuTTY (a free SSH and Telnet client) and FileZilla (a free cross-platform FTP application).

“We have reported this campaign to Google but no action has been taken yet,” , Malwarebytes researcher Jérôme Segura shared.

The campaign

Malicious ads served via Google, Bing, or other reputable websites deliver RATs, infostealers, loaders, and other malware that’s usually masquerading as legitimate software.

In this latest campaign, searching for “Putty” or FileZilla” on Google Search returns sponsored ads at the top of the search results, which point to cloaking pages, then to decoy sites if the server detects bot or crawler traffic or potential visits by security researchers.

malvertising putty filezilla

The malicious ads pointing to cloaking domains (Source: Malwarebytes)

If the traffic looks like it’s coming from a potential victim, they are redirected to copycat sites impersonating the legitimate sites of those software projects. If the victim downloads the offered software they get Nitrogen malware instead.

“Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV,” Segura explains.

“The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL.”

Malvertising: A continuing threat

Malvertising has become such a pervasive threat that new campaigns are getting flagged every day.

The fact that almost identical malvertising campaigns delivering Nitrogen to IT professionals have repeatedly been spotted in the past year or so is a testament to their efficacy, as well as search engines’ ineffectual response to the malvertising problem.

“While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education,” Segura pointed out.

“Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks.”

Source: https://www.helpnetsecurity.com/2024/04/10/malvertising-putty-filezilla/


“An interesting youtube video that may be related to the article above”