Bing Ads Exploited by Hackers to Spread SecTopRAT Through NordVPN Mimic

Hackers have been exploiting Microsoft Bing’s advertising platform to launch a malvertising campaign that impersonates the reputable VPN service NordVPN.

This sophisticated scheme aims to trick users into downloading a Remote Access Trojan (RAT) known as SecTopRAT, which poses security risks.

The campaign was discovered when users searching for “nord vpn” on Bing were presented with a fraudulent ad.

The ad’s URL featured a domain name, nordivpn[.]xyz, registered only a day before its discovery on April 3, 2024.

The domain’s name, intentionally misspelled, is a tactic to deceive users who may not scrutinize the URL closely.

Clicking on the ad redirects users to another deceptive site, besthord-vpn[.]com, also registered recently.

This site is a near-perfect replica of the legitimate NordVPN website, designed to convince visitors of its authenticity.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Deceptive Download

Unlike the genuine NordVPN, which requires users to sign up, the fake site offers a direct download link for the installer, hosted on Dropbox.

As reported by Malwarebytes, The file named NordVPNSetup.exe is misleadingly digitally signed to appear as if it originates from the official vendor.

However, the signature is fraudulent. The executable contains not only the NordVPN installer but also the SecTopRAT malware.

The malware is designed to inject itself into MSBuild.exe, a legitimate process, and establish a connection to a command and control server located at 45.141.87[.]216 on port 15647.

This traffic pattern is associated with the Arechclient2 Backdoor, another name for SecTopRAT.

Industry Response

Upon discovery, the malicious Bing ad and its associated infrastructure were reported to Microsoft.

Dropbox has taken swift action to remove the malicious download link.

The cybersecurity community, including ThreatDown, is working with industry partners to dismantle this malvertising operation.

Malvertising illustrates the ease with which malware can be distributed using legitimate software.

Threat actors can rapidly deploy infrastructure to evade content filters and target unsuspecting users.

For organizations looking to safeguard against such threats, DNS Filtering is a robust solution.

ThreatDown customers can enable rules to block online ads, significantly reducing the risk of malvertising. This preventative measure can be applied across an organization or tailored to specific areas.

The exploitation of Bing ads to spread malware is a stark reminder of the ever-evolving landscape of cyber threats.

Users must remain vigilant when downloading software and ensure they use official sources.

Organizations should consider implementing additional security measures, such as DNS Filtering, to protect against sophisticated attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago