Fake ads have become a new attack vector for a well-known ransomware group.
Cybercrime groups operating as part of the BlackCat ransomware operation (ALPHV) have adopted a new tactic — using malicious advertising to gain initial access to victims systems.
Under the guise of popular business software, such as the corporate messenger Slack or the AnyConnect VPN client from Cisco, attackers distribute the malicious program Nitrogen, which serves to establish initial control over the system and then launch ransomware.
According to eSentire's threat response team, its customers have been repeatedly targeted by ALPHV/BlackCat affiliated groups. The campaign using Nitrogen was first recorded in June, but the use of malicious advertising to distribute it is a new tactic.
"Nitrogen is an initial penetration software that uses Python libraries for stealth," explains Keegan Keplinger, senior threat researcher at eSentire. "This springboard provides attackers with an initial entry point into the target organization's IT environment."
Once hackers gain a foothold in the attacked company's network, they can infect it with any malware of their choice. As part of the operation under review, this software was the ALPHV/BlackCat ransomware program.
Using popular Python libraries helps you hide intrusion traces in normal traffic. While additional obfuscation techniques make it even harder to detect an attack.
The BlackCat group is known in the cybercrime community for its almost complete lack of honor and moral principles. For example, the gang's ransomware was repeatedly used in attacks on medical institutions, which is considered unacceptable among many cybercriminals. Earlier this year, hackers even tried to blackmail one of the hospitals by publishing nude photos of patients with breast cancer.
By contrast, the ransomware group LockBit has repeatedly issued public apologies for the actions of its affiliates. So, in January, hackers provided a decryptor to a children's hospital in Canada that was attacked "by mistake", and in April the situation was repeated for the American school district Olympia Community Unit 16.
Returning to the BlackCat group, it can be noted that recently it has shown a desire to develop and strengthen its position. Recently, the group's leaders accepted the Octo Tempest hacker group into their partner program, whose rich experience in SIM swapping, SMS phishing, and social engineering proved attractive enough for BlackCat to offer the group cooperation.
Thus, despite the security measures taken, BlackCat continues to evolve and adapt to new conditions. Their latest malicious advertising tactic demonstrates the sophistication and flexibility of the group's approach.
Companies need to strengthen their monitoring for suspicious activity and invest in robust security measures to avoid becoming the next victim of this unscrupulous group of cybercriminals.
Cybercrime groups operating as part of the BlackCat ransomware operation (ALPHV) have adopted a new tactic — using malicious advertising to gain initial access to victims systems.
Under the guise of popular business software, such as the corporate messenger Slack or the AnyConnect VPN client from Cisco, attackers distribute the malicious program Nitrogen, which serves to establish initial control over the system and then launch ransomware.
According to eSentire's threat response team, its customers have been repeatedly targeted by ALPHV/BlackCat affiliated groups. The campaign using Nitrogen was first recorded in June, but the use of malicious advertising to distribute it is a new tactic.
"Nitrogen is an initial penetration software that uses Python libraries for stealth," explains Keegan Keplinger, senior threat researcher at eSentire. "This springboard provides attackers with an initial entry point into the target organization's IT environment."
Once hackers gain a foothold in the attacked company's network, they can infect it with any malware of their choice. As part of the operation under review, this software was the ALPHV/BlackCat ransomware program.
Using popular Python libraries helps you hide intrusion traces in normal traffic. While additional obfuscation techniques make it even harder to detect an attack.
The BlackCat group is known in the cybercrime community for its almost complete lack of honor and moral principles. For example, the gang's ransomware was repeatedly used in attacks on medical institutions, which is considered unacceptable among many cybercriminals. Earlier this year, hackers even tried to blackmail one of the hospitals by publishing nude photos of patients with breast cancer.
By contrast, the ransomware group LockBit has repeatedly issued public apologies for the actions of its affiliates. So, in January, hackers provided a decryptor to a children's hospital in Canada that was attacked "by mistake", and in April the situation was repeated for the American school district Olympia Community Unit 16.
Returning to the BlackCat group, it can be noted that recently it has shown a desire to develop and strengthen its position. Recently, the group's leaders accepted the Octo Tempest hacker group into their partner program, whose rich experience in SIM swapping, SMS phishing, and social engineering proved attractive enough for BlackCat to offer the group cooperation.
Thus, despite the security measures taken, BlackCat continues to evolve and adapt to new conditions. Their latest malicious advertising tactic demonstrates the sophistication and flexibility of the group's approach.
Companies need to strengthen their monitoring for suspicious activity and invest in robust security measures to avoid becoming the next victim of this unscrupulous group of cybercriminals.
