A new type of malicious activity spreading through Google and Bing search ads

A new malvertising campaign has been observed using Google search and Bing ads to target users of IT tools such as AnyDesk, Cisco AnyConnect VPN and WinSCP, luring them to download a Trojan installer with the aim of compromising corporate networks and potentially carrying out ransomware attacks in the future.

This "opportunistic" activity, dubbed "Nitrogen," is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a July 26 analysis.

Nitrogen was first documented by eSentire in June 2023, detailing a chain of infections that redirected users to compromised WordPress sites, ultimately sending Python scripts and Cobalt Strike Beacons onto targeted systems.

Sophos researchers say that throughout the infection chain, the threat uses uncommon export forwarding and DLL preloading techniques to mask its malicious activity.

Once launched, the Python script creates a Meterpreter reverse TCP shell, which allows the attacker to remotely execute code on the infected host and download a Cobalt Strike Beacon for later exploitation.

Ads displayed within search engines have become a common tactic for attackers, the researchers said. By casting a wide net, unsuspecting users are enticed to click and download.

This includes cybercriminals using paid advertisements to lure users to malicious websites, where they are tricked into downloading a variety of malware such as BATLOADER, EugenLoader (a.k.a. FakeBat), and IcedID, which are then used to spread information-stealing programs and other payloads.

Not only that, but Sophos also says it has found a large number of advertisements and discussions about SEO poisoning, malvertising and related services, as well as sellers offering compromised Google Ads accounts on the famous dark web marketplace.

This is a further indication that the attackers have a strong interest in SEO poisoning and malvertising.