Friday, November 1, 2024
Homecyber securityBing Ads Exploited by Hackers to Spread SecTopRAT Through NordVPN Mimic

Bing Ads Exploited by Hackers to Spread SecTopRAT Through NordVPN Mimic

Published on

Malware protection

Hackers have been exploiting Microsoft Bing’s advertising platform to launch a malvertising campaign that impersonates the reputable VPN service NordVPN.

This sophisticated scheme aims to trick users into downloading a Remote Access Trojan (RAT) known as SecTopRAT, which poses security risks.

The campaign was discovered when users searching for “nord vpn” on Bing were presented with a fraudulent ad.

- Advertisement - SIEM as a Service

The ad’s URL featured a domain name, nordivpn[.]xyz, registered only a day before its discovery on April 3, 2024.

The domain’s name, intentionally misspelled, is a tactic to deceive users who may not scrutinize the URL closely.

Clicking on the ad redirects users to another deceptive site, besthord-vpn[.]com, also registered recently.

This site is a near-perfect replica of the legitimate NordVPN website, designed to convince visitors of its authenticity.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Deceptive Download

Unlike the genuine NordVPN, which requires users to sign up, the fake site offers a direct download link for the installer, hosted on Dropbox.

As reported by Malwarebytes, The file named NordVPNSetup.exe is misleadingly digitally signed to appear as if it originates from the official vendor.

However, the signature is fraudulent. The executable contains not only the NordVPN installer but also the SecTopRAT malware.

The malware is designed to inject itself into MSBuild.exe, a legitimate process, and establish a connection to a command and control server located at 45.141.87[.]216 on port 15647.

This traffic pattern is associated with the Arechclient2 Backdoor, another name for SecTopRAT.

Industry Response

Upon discovery, the malicious Bing ad and its associated infrastructure were reported to Microsoft.

Dropbox has taken swift action to remove the malicious download link.

The cybersecurity community, including ThreatDown, is working with industry partners to dismantle this malvertising operation.

Malvertising illustrates the ease with which malware can be distributed using legitimate software.

Threat actors can rapidly deploy infrastructure to evade content filters and target unsuspecting users.

For organizations looking to safeguard against such threats, DNS Filtering is a robust solution.

ThreatDown customers can enable rules to block online ads, significantly reducing the risk of malvertising. This preventative measure can be applied across an organization or tailored to specific areas.

The exploitation of Bing ads to spread malware is a stark reminder of the ever-evolving landscape of cyber threats.

Users must remain vigilant when downloading software and ensure they use official sources.

Organizations should consider implementing additional security measures, such as DNS Filtering, to protect against sophisticated attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...