Hackers Attacking Infra Teams With Fake PuTTY & FileZilla Ads

A sophisticated malvertising campaign is targeting system administrators across North America.

The attackers are using fake ads for popular system utilities to distribute a dangerous strain of malware known as Nitrogen.

Step 1: Luring Victims with Malicious Ads

The campaign exploits the trust users place in search engine advertisements. By displaying sponsored search results for utilities like PuTTY and FileZilla, the attackers can lure in their victims.

Malicious ad displayed via Google search

These ads are convincing and tailored to the search habits of IT professionals, making them particularly effective.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Once clicked, these malicious ads lead users to download what they believe to be legitimate software installers.

However, these installers are trojanized versions designed to infect the user’s system with Nitrogen malware.

DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks

This malware serves as a gateway for attackers to gain initial access to private networks, which can then be exploited for data theft or to deploy ransomware such as BlackCat/ALPHV.

Despite reports to Google, the malicious ads continue to run, prompting the cybersecurity community to share detailed information on the tactics, techniques, and procedures (TTPs) used by the attackers and indicators of compromise (IOCs) to help system administrators defend against these threats.

A recent article published in Malwarebytes Labs highlighted that hackers are now targeting infrastructure teams using fake ads for PuTTY and FileZilla.

Step 2: Deception Through Lookalike Sites

The attackers have set up a sophisticated malvertising infrastructure that uses cloaking techniques to evade detection.

Depending on the situation, users who click on the ads may be redirected to a harmless decoy site or a video of Rick Astley—a tactic used to mock security researchers.

The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).
The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).

However, for potential victims, the redirect leads to lookalike sites convincing replicas of the legitimate software pages they are impersonating.

These sites are designed to be as deceptive as possible, increasing the likelihood that someone will download the malware-laden installers.

ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware
ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware

Step 3: Deploying Malware and Protecting Against Attacks

The final step in this malicious chain is deploying the Nitrogen malware through the fraudulent installers.

The malware uses a technique known as DLL sideloading, where a legitimate executable is used to launch a malicious DLL file.

In this instance, a seemingly innocuous setup.exe file sideloads a dangerous file named python311.dll, which is associated with Nitrogen.

malvertising chain consists of downloading and running the malware payload
malvertising chain consists of downloading and running the malware payload

To combat this threat, cybersecurity firm ThreatDown has blocked these malicious websites and prevented users from being tricked into downloading malware.

Their Endpoint Detection and Response (EDR) engine can quarantine the malicious DLL immediately, and system administrators can use the AI-assisted engine to search for and review detections.

System administrators can log into their console and use the AI-assisted engine to quickly search and review the detection
System administrators can log into their console and use the AI-assisted engine to search and review the detection quickly

The prevalence of malvertising as a vector for cyber attacks has highlighted the need for better user education specifically tailored to recognize and avoid such threats.

While phishing training for email threats is familiar, similar training for malvertising is not yet widespread.

To protect endpoints from malicious ads, group policies can be implemented to restrict traffic from both significant and lesser-known ad networks.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.