Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strike for lateral movement and post-exploitation activities. The analysis reveals their use of a compromised host as a pivot system and attempts to cover tracks by clearing Windows logs. The investigation uncovered Cobalt Strike configurations through pattern analysis, byte-level XOR decryption, and custom YARA rules. Crash dump analysis using Windows Error Reporting artifacts and WinDBG proved crucial in identifying in-memory indicators of Cobalt Strike beacons and related structures.
OPENCTI LABELS :
cobalt strike,ransomware,lateral movement,malvertising,nitrogen,dll sideloading,nitrogenloader
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'