Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
· Published 01/10/2024 10:05 · Modified 01/10/2024 10:29
Essential information
- Published
- 01/10/2024 10:05
- Modified
- 01/10/2024 10:29
- Tags
- 2024-10-01 alphv blackcat cobalt strike credential harvesting data exfiltration lateral movement nitrogen noberus ransomware sliver
- Related entities
- 45 observables, 32 techniques (mitre), 6 malware
Description
A BlackCat ransomware intrusion began with a Nitrogen malware campaign impersonating Advanced IP Scanner. The attackers used Sliver and Cobalt Strike beacons for post-exploitation, leveraging Python scripts for memory loading. They performed network enumeration using various tools and moved laterally with Impacket after credential harvesting. Data exfiltration was conducted using the Restic backup tool. Eight days after initial access, the attackers modified a privileged user's password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. The intrusion lasted 156 hours over 8 days, ending with file encryption and ransom notes left on affected systems.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (45)
94.156.67.18091.92.251.24091.92.250.6691.92.250.6091.92.250.6591.92.250.15891.92.250.14891.92.249.11091.92.247.12791.92.245.2691.92.247.12391.92.245.17491.92.242.3991.92.242.18291.92.241.117195.123.226.8491.92.240.194194.49.94.22194.49.94.21194.49.94.18194.180.48.165194.180.48.42194.169.175.134193.42.33.14185.73.124.238141.98.6.19594.156.67.17591.92.245.17591.92.240.17594.156.67.18894.156.67.18591.92.242.55http://118.0.0.0b3b1ff7e3d1d4f438e40208464cebfb641b434f5bf5cf18b7cec2d189f52c1b6d15cab3901e9a10af772a0a1bdbf35b357ee121413d4cf542d96819dc44711589514035fea8000a664799e369ae6d3af6abfe8e5cda23cdafbede83051692e63726f038c13e4c90976811b462e6d21e10e05f7c11e35331d314c546d91fa6d215fac60f1e97b6eaae18ebd8b49b912c86233cf77637590f36aa319651582d3c45f7d438945306bf8a7f35cab0e2acc80cdc9295a57798d8165ef6d8b86fbb38d5dc8b08c7e1b11abf2b6b311cd7e411db16a7c3827879c6f93bd0dac7a71d3214ef1009923fc12c2a3127c929e0aa4515c9f4d068737389afb3464c28ccf592539ec2834494f384028ad17296f70ed6608808084ef403714cfbc1bfbbed263d44ee4e1e2cedf59a802c01fae9ccfcfde3e84764c72e7d95b97992addd6edf5273298629de0489c12e451152e787d294753515855dbf1ce80bfcded584a84ac6225172a046821bd04e74c15dc180572288c67fdff474bdb5eb11b76dce1b3dad3
Techniques (MITRE) (32)
-
SMB/Windows Admin Shares
-
Domain Groups
-
Local Groups
-
Local Account
-
LSASS Memory
-
Data from Network Shared Drive
-
Service Execution
-
Remote Desktop Protocol
-
Dynamic-link Library Injection
-
T1547.004
-
Python
-
Clear Windows Event Logs
-
Exfiltration Over Alternative Protocol
-
Network Share Discovery
-
Scheduled Task
-
Inhibit System Recovery
-
Domain Trust Discovery
-
Remote System Discovery
-
Windows Command Shell
-
PowerShell
-
Drive-by Compromise
-
Web Protocols
-
Match Legitimate Resource Name or Location
-
Malicious File
-
Data Encrypted for Impact
-
Ingress Tool Transfer
-
Lateral Tool Transfer
-
Windows Management Instrumentation
-
Process Injection
-
Masquerading
-
Account Manipulation
Malware (6)
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 20/05/2025 19:27 · Modified 20/05/2025 19:27
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 06/11/2025 14:16 · Modified 06/11/2025 14:16
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40