216.73.217.50

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

· Published 02/05/2025 20:25 · Modified 02/05/2025 21:27

Export JSON

Essential information

Published
02/05/2025 20:25
Modified
02/05/2025 21:27
Tags
2025-05-02 cobalt strike dll sideloading lateral movement malvertising nitrogen nitrogenloader ransomware
Related entities
2 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 others

Description

The group has expanded its operations from North America to Africa and Europe since September 2024. They utilize tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs for initial access, followed by for and post-exploitation activities. The analysis reveals their use of a compromised host as a pivot system and attempts to cover tracks by clearing Windows logs. The investigation uncovered configurations through pattern analysis, byte-level XOR decryption, and custom YARA rules. Crash dump analysis using Windows Error Reporting artifacts and WinDBG proved crucial in identifying in-memory indicators of beacons and related structures.

External references