otx.alienvault.com
Open in
urlscan Pro
99.86.91.118
Public Scan
Submitted URL: http://otx.alienvault.com/pulse/64c2532c1becc4a75d18d4a9
Effective URL: https://otx.alienvault.com/pulse/64c2532c1becc4a75d18d4a9
Submission: On July 28 via api from DE — Scanned from DE
Effective URL: https://otx.alienvault.com/pulse/64c2532c1becc4a75d18d4a9
Submission: On July 28 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
× Loading... * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (318) Suggest Edit Clone Embed Download Report Spam NEW NITROGEN MALWARE PUSHED VIA GOOGLE ADS FOR RANSOMWARE ATTACKS * Created 1 day ago by dekaRituraj * Public * TLP: White A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware. Today, Sophos released a report on the Nitrogen campaign, detailing how it primarily targets technology and non-profit organizations in North America, impersonating popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. References: https://github.com/sophoslabs/IoCs/blob/master/Nitrogen%202023-07.csv https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/ https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks/ Tags: c2 server, cobalt strike, nitrogenstager, iocs, androidhiddadt, rtfs, owassrf iocs, ransomwarehive, wormwannacry, indicator, python, python package, nitrogen, google, winscp, sophos, bing, https, music, blackcat, anydesk, example, lockbit, metasploit, beware, execution, meterpreter Industry: Technology Malware Families: Nitrogen , Meterpreter , Cobalt Strike Att&ck IDs: T1053 - Scheduled Task/Job , T1069 - Permission Groups Discovery , T1547 - Boot or Logon Autostart Execution , T1552 - Unsecured Credentials , T1553 - Subvert Trust Controls , T1574 - Hijack Execution Flow , T1583 - Acquire Infrastructure , T1584 - Compromise Infrastructure , T1588 - Obtain Capabilities , T1608 - Stage Capabilities , T1104 - Multi-Stage Channels , T1059 - Command and Scripting Interpreter , T1566 - Phishing Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (184) * Related Pulses (24) * Comments (0) * History (0) CVE (4)Other (35)FileHash-SHA1 (20)FileHash-SHA256 (64)FileHash-MD5 (23)IPv4 (35) TYPES OF INDICATORS United States (19)Romania (1)Bulgaria (10)Canada (5) THREAT INFRASTRUCTURE Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses domaintresize.comJul 27, 2023, 11:21:17 AM5domainmyponsdsoftware.comJul 27, 2023, 11:21:17 AM5domainmypondsoftware.comJul 27, 2023, 11:21:17 AM5URLhttps://winsccp.com/HPVrxkWv?[gclidJul 27, 2023, 11:21:17 AM5URLhttps://softwareinteractivo.com/streamlining-team-collaboration-the-power-of-for-seamless-file-sharing/[gclidJul 27, 2023, 11:21:17 AM5URLhttps://172.86.123.127/python/ton.zipJul 27, 2023, 11:21:17 AM3URLhttps://104.234.119.16:4425/NZAna530Nip9AWgVGZ0wvQmQqVlNzF3vDZ8VNfagijnmurLzImArKHfA/'Jul 27, 2023, 11:21:17 AM3URLhttp://mypondsoftware.com/ciscoJul 27, 2023, 11:21:17 AM5URLhttp://104.234.119.16:8880/Tu6UHNJiKqMAdBVgZOhOfQWLz0QvKbDdGjzQfqCdxVaakl7csNUiwEdQzgC_lyE/'Jul 27, 2023, 11:21:17 AM3IPv4104.234.119.16Jul 27, 2023, 11:21:17 AM5 SHOWING 1 TO 10 OF 184 ENTRIES 1 2 3 4 5 ... 19 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2023 AlienVault, Inc. * Legal * Status