Nitro attackers have some gall

Authored by Tony Millington and Gavin O’Gorman

The intercepted email in this blog was provided by

The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011.  The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi. That is, they are sending targets a password-protected archive, through email, which contains a malicious executable. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. The most recent email (Figure 1) brazenly claims to be from Symantec and offers protection from “poison Ivy Trojan”!

Figure 1 Fake malicious email

Furthermore, the attachment itself is called “the_nitro_attackspdf.7z”. The attachment archive contains a file called “the_nitro_attackspdf                            .exe”. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive.)

Figure 2 Contents of the attachment, including the genuine report

When the self-extracting executable runs, it creates a file called lsass.exe (Poison IVY) and creates a PDF file. This PDF file is none other than our own Nitro Attacks document! The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity.

The threat, lsass.exe, copies itself to “%System%\web\service.exe” and attempts to connect to the domain “”. This domain resolves to an IP, which is hosted by the same hosting provider that hosted most of the previously encountered IP addresses. Figure 3 is a partial graph of the domains involved, including the most recent activity.

Figure 3 Network map

Table 1 lists the latest emails intercepted by Symantec .cloud and the MD5s of the associated threat samples.


File name



Symantec Security Warning!

The_nitro_attackspdf .exe



so funny





learning materials.doc .exe



adobe update

Adobe Reader Update.exe



Adobe Reader Upgrade Rightnow!

Install_ reader10_en_air_gtbd_aih.exe



Safety Tips




Table 1 most recent emails and samples

Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked. They are using the exact same techniques - even using the same hosting provider for their command and control (C&C) servers. The domains have been disabled and Symantec have contacted the relevant IP hosting provider and continue to block the emails through the .cloud email scanning service. customers have been and continue to be protected from attacks performed by this group.