Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

    Tuesday, October 1, 2024 In: Threat Research Print

    Date: 10/01/2024

    Severity: Critical

    Summary

    The incident started when a user inadvertently downloaded a malicious version of Advanced IP Scanner from a counterfeit website designed to resemble the legitimate one, using Google ads to achieve a higher search ranking. Analysis of the attack pattern and loader signature indicates that this was part of a Nitrogen campaign, aligning with earlier public reports. The compromised installer was delivered as a ZIP file, which the victim extracted and subsequently ran the embedded executable, leading to the infection. 

    Indicators of Compromise (IOC) List

    IP Address :

    194.49.94.18

    194.169.175.134

    91.92.250.60

    91.92.250.65

    91.92.245.26

    195.123.226.84

    Hash :

    DBF5F56998705C37076B6CAE5D0BFB4D

E6AB3C595AC703AFD94618D1CA1B8EBCE623B21F

5DC8B08C7E1B11ABF2B6B311CD7E411DB16A7C3827879C6F93BD0DAC7A71D321

EB64862F1C8464CA3D03CF0A4AC608F4

6F43E6388B64998B7AA7411104B955A8949C4C63

726F038C13E4C90976811B462E6D21E10E05F7C11E35331D314C546D91FA6D21

3A4FDBC642A24A240692F9CA70757E9F

794203A4E18F904F0D244C7B3C2F5126B58F6A21

5F7D438945306BF8A7F35CAB0E2ACC80CDC9295A57798D8165EF6D8B86FBB38D

7A4CB8261036F35FD273DA420BF0FD5E

9648559769179677C5B58D5619CA8872F5086312

4EF1009923FC12C2A3127C929E0AA4515C9F4D068737389AFB3464C28CCF5925

1BE7FE8E20F8E9FDC6FD6100DCAD38F3

C4CDE794CF4A68D63617458A60BC8B90D99823CA

4EE4E1E2CEDF59A802C01FAE9CCFCFDE3E84764C72E7D95B97992ADDD6EDF527

4232C065029EB52D1B4596A08568E800

79818110ABD52BA14800CDFF39ECA3252412B232

3298629DE0489C12E451152E787D294753515855DBF1CE80BFCDED584A84AC62

637FB65A1755C4B6DC1E0428E69B634E

FBA4652B6DBE0948D4DADCEBF51737A738CA9E67

B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6

0B1882F719504799B3211BF73DFDC253

448892D5607124FDD520F62FF0BC972DF801C046

39EC2834494F384028AD17296F70ED6608808084EF403714CFBC1BFBBED263D4

E20FC97E364E859A2FB58D66BC2A1D05

F5F56413F81E8F4A941F53E42A90BA1720823F15

9514035FEA8000A664799E369AE6D3AF6ABFE8E5CDA23CDAFBEDE83051692E63

C737A137B66138371133404C38716741

A3E4FB487400D99E3A9F3523AEAA9AF5CF6E128B

25172A046821BD04E74C15DC180572288C67FDFF474BDB5EB11B76DCE1B3DAD3

7A1E7F652055C812644AD240C41D904A

B39C244C3117F516CE5844B2A843EFF1E839207C

5FAC60F1E97B6EAAE18EBD8B49B912C86233CF77637590F36AA319651582D3C4

E0D1CF0ABD09D7632F79A8259283288D

3A78CE27A7AA16A8230668C644C7DF308DE6CF33

D15CAB3901E9A10AF772A0A1BDBF35B357EE121413D4CF542D96819DC4471158

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("91.92.250.60","194.49.94.18","91.92.250.65","91.92.245.26","194.169.175.134","195.123.226.84") or ipaddress IN ("91.92.250.60","194.49.94.18","91.92.250.65","91.92.245.26","194.169.175.134","195.123.226.84") or publicipaddress IN ("91.92.250.60","194.49.94.18","91.92.250.65","91.92.245.26","194.169.175.134","195.123.226.84") or srcipaddress IN ("91.92.250.60","194.49.94.18","91.92.250.65","91.92.245.26","194.169.175.134","195.123.226.84")

    Hash Query 1 :

    md5hash IN ("7A4CB8261036F35FD273DA420BF0FD5E","DBF5F56998705C37076B6CAE5D0BFB4D","EB64862F1C8464CA3D03CF0A4AC608F4","3A4FDBC642A24A240692F9CA70757E9F","1BE7FE8E20F8E9FDC6FD6100DCAD38F3","4232C065029EB52D1B4596A08568E800","637FB65A1755C4B6DC1E0428E69B634E","0B1882F719504799B3211BF73DFDC253","E20FC97E364E859A2FB58D66BC2A1D05","C737A137B66138371133404C38716741","7A1E7F652055C812644AD240C41D904A","E0D1CF0ABD09D7632F79A8259283288D")

    Hash Query 2 :

    sha1hash IN ("9648559769179677C5B58D5619CA8872F5086312","E6AB3C595AC703AFD94618D1CA1B8EBCE623B21F","6F43E6388B64998B7AA7411104B955A8949C4C63","794203A4E18F904F0D244C7B3C2F5126B58F6A21","C4CDE794CF4A68D63617458A60BC8B90D99823CA","79818110ABD52BA14800CDFF39ECA3252412B232","FBA4652B6DBE0948D4DADCEBF51737A738CA9E67","448892D5607124FDD520F62FF0BC972DF801C046","F5F56413F81E8F4A941F53E42A90BA1720823F15","A3E4FB487400D99E3A9F3523AEAA9AF5CF6E128B","B39C244C3117F516CE5844B2A843EFF1E839207C","3A78CE27A7AA16A8230668C644C7DF308DE6CF33")

    Hash Query 3 :

    sha256hash IN ("9514035FEA8000A664799E369AE6D3AF6ABFE8E5CDA23CDAFBEDE83051692E63","4EF1009923FC12C2A3127C929E0AA4515C9F4D068737389AFB3464C28CCF5925","5DC8B08C7E1B11ABF2B6B311CD7E411DB16A7C3827879C6F93BD0DAC7A71D321","726F038C13E4C90976811B462E6D21E10E05F7C11E35331D314C546D91FA6D21","5F7D438945306BF8A7F35CAB0E2ACC80CDC9295A57798D8165EF6D8B86FBB38D","4EE4E1E2CEDF59A802C01FAE9CCFCFDE3E84764C72E7D95B97992ADDD6EDF527","3298629DE0489C12E451152E787D294753515855DBF1CE80BFCDED584A84AC62","B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6","39EC2834494F384028AD17296F70ED6608808084EF403714CFBC1BFBBED263D4","25172A046821BD04E74C15DC180572288C67FDFF474BDB5EB11B76DCE1B3DAD3","5FAC60F1E97B6EAAE18EBD8B49B912C86233CF77637590F36AA319651582D3C4","D15CAB3901E9A10AF772A0A1BDBF35B357EE121413D4CF542D96819DC4471158")

    Reference:

    https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#indicators 


    Tags

    MalwareRansomwareNitrogen CampaignBlackCatIT Industry

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.