Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'
Essential information
- Published
- 02/05/2025 20:25
- Modified
- 02/05/2025 21:27
- Tags
- 2025-05-02 cobalt strike dll sideloading lateral movement malvertising nitrogen nitrogenloader ransomware
- Related entities
- 2 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 others
Description
The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strike for lateral movement and post-exploitation activities. The analysis reveals their use of a compromised host as a pivot system and attempts to cover tracks by clearing Windows logs. The investigation uncovered Cobalt Strike configurations through pattern analysis, byte-level XOR decryption, and custom YARA rules. Crash dump analysis using Windows Error Reporting artifacts and WinDBG proved crucial in identifying in-memory indicators of Cobalt Strike beacons and related structures.