The notorious ALPHV/BlackCat ransomware has been observed using Google Ads to distribute malware.
The gang, responsible for the $100m MGM Resorts breach and leaking sensitive images of breast cancer patients, has expanded its attack methods to include malvertising, according to eSentire’s Threat Response Unit (TRU).
In a new advisory published today, the security firm said it intercepted and thwarted attempts by ALPHV/BlackCat affiliates to breach a law firm, a manufacturer and a warehouse provider within the past three weeks.
ALPHV/BlackCat is part of a cybercrime economy with specialized roles, evolving from experienced ransomware operators like REvil, DarkSide and BlackMatter. Affiliates supporting ALPHV/BlackCat include FIN7, UNC2565 and Scattered Spider.
The new tactic eSentire observed involves using Google Ads promoting popular software like Advanced IP Scanner and Slack, leading business professionals to attacker-controlled websites.
These professionals, thinking they are downloading legitimate software, unwittingly install the Nitrogen malware. Nitrogen serves as initial-access malware providing intruders with a foothold in the target organization’s IT environment.
Once established, the hackers infect the victim with ALPHV/BlackCat ransomware.
“The Nitrogen malware leverages obfuscated Python libraries that compile to Windows executables,” explained Keegan Keplinger, senior threat intelligence researcher with TRU.
“These libraries are useful for legitimate use cases – such as optimizing Python code – but they are also being used to develop malicious malware loaders that can load intrusion tools directly into memory.”
More generally, the security expert added that the rise of browser-based cyber-threats, where users unknowingly download malware while browsing, has become a concerning trend.
Keplinger emphasized the need for user awareness training to extend beyond email attachments, addressing the growing threat of browser-based downloads.
The eSentire advisory recommended organizations focus on endpoint monitoring, capture and monitor logs for systems not supporting endpoint monitoring and implement attack surface reduction rules to mitigate browser-based attacks.
The ALPHV/BlackCat group’s criminal origins, connections to former ransomware groups and their recent high-profile attacks on MGM Resorts, McClaren Health Care, Clarion and Motel One further emphasize the urgency for enhanced cybersecurity measures.