Hackers have been exploiting Microsoft Bing’s advertising platform to launch a malvertising campaign that impersonates the reputable VPN service NordVPN.

This sophisticated scheme aims to trick users into downloading a Remote Access Trojan (RAT) known as SecTopRAT, which poses security risks.

The campaign was discovered when users searching for “nord vpn” on Bing were presented with a fraudulent ad.

The ad’s URL featured a domain name, nordivpn[.]xyz, registered only a day before its discovery on April 3, 2024.

The domain’s name, intentionally misspelled, is a tactic to deceive users who may not scrutinize the URL closely.

Clicking on the ad redirects users to another deceptive site, besthord-vpn[.]com, also registered recently.

This site is a near-perfect replica of the legitimate NordVPN website, designed to convince visitors of its authenticity.

The Deceptive Download

Unlike the genuine NordVPN, which requires users to sign up, the fake site offers a direct download link for the installer, hosted on Dropbox.

As reported by Malwarebytes, The file named NordVPNSetup.exe is misleadingly digitally signed to appear as if it originates from the official vendor.

However, the signature is fraudulent. The executable contains not only the NordVPN installer but also the SecTopRAT malware.

The malware is designed to inject itself into MSBuild.exe, a legitimate process, and establish a connection to a command and control server located at 45.141.87[.]216 on port 15647.

This traffic pattern is associated with the Arechclient2 Backdoor, another name for SecTopRAT.

Industry Response

Upon discovery, the malicious Bing ad and its associated infrastructure were reported to Microsoft.

Dropbox has taken swift action to remove the malicious download link.

The cybersecurity community, including ThreatDown, is working with industry partners to dismantle this malvertising operation.

Malvertising illustrates the ease with which malware can be distributed using legitimate software.

Threat actors can rapidly deploy infrastructure to evade content filters and target unsuspecting users.

For organizations looking to safeguard against such threats, DNS Filtering is a robust solution.

ThreatDown customers can enable rules to block online ads, significantly reducing the risk of malvertising. This preventative measure can be applied across an organization or tailored to specific areas.

The exploitation of Bing ads to spread malware is a stark reminder of the ever-evolving landscape of cyber threats.

Users must remain vigilant when downloading software and ensure they use official sources.

Organizations should consider implementing additional security measures, such as DNS Filtering, to protect against sophisticated attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.