Bing Ads Exploited by Hackers to Spread SecTopRAT Through NordVPN Mimic

Hackers have been exploiting Microsoft Bing’s advertising platform to launch a malvertising campaign that impersonates the reputable VPN service NordVPN.

This sophisticated scheme aims to trick users into downloading a Remote Access Trojan (RAT) known as SecTopRAT, which poses security risks.

The campaign was discovered when users searching for “nord vpn” on Bing were presented with a fraudulent ad.

The ad’s URL featured a domain name, nordivpn[.]xyz, registered only a day before its discovery on April 3, 2024.

The domain’s name, intentionally misspelled, is a tactic to deceive users who may not scrutinize the URL closely.

Clicking on the ad redirects users to another deceptive site, besthord-vpn[.]com, also registered recently.

This site is a near-perfect replica of the legitimate NordVPN website, designed to convince visitors of its authenticity.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The Deceptive Download

Unlike the genuine NordVPN, which requires users to sign up, the fake site offers a direct download link for the installer, hosted on Dropbox.

As reported by Malwarebytes, The file named NordVPNSetup.exe is misleadingly digitally signed to appear as if it originates from the official vendor.

However, the signature is fraudulent. The executable contains not only the NordVPN installer but also the SecTopRAT malware.

The malware is designed to inject itself into MSBuild.exe, a legitimate process, and establish a connection to a command and control server located at 45.141.87[.]216 on port 15647.

This traffic pattern is associated with the Arechclient2 Backdoor, another name for SecTopRAT.

Industry Response

Upon discovery, the malicious Bing ad and its associated infrastructure were reported to Microsoft.

Dropbox has taken swift action to remove the malicious download link.

The cybersecurity community, including ThreatDown, is working with industry partners to dismantle this malvertising operation.

Malvertising illustrates the ease with which malware can be distributed using legitimate software.

Threat actors can rapidly deploy infrastructure to evade content filters and target unsuspecting users.

For organizations looking to safeguard against such threats, DNS Filtering is a robust solution.

ThreatDown customers can enable rules to block online ads, significantly reducing the risk of malvertising. This preventative measure can be applied across an organization or tailored to specific areas.

The exploitation of Bing ads to spread malware is a stark reminder of the ever-evolving landscape of cyber threats.

Users must remain vigilant when downloading software and ensure they use official sources.

Organizations should consider implementing additional security measures, such as DNS Filtering, to protect against sophisticated attacks.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Microsoft Patches Multiple Vulnerabilities Allow Attackers to Elevate Privileges

Microsoft has recently released patches addressing multiple vulnerabilities that could enable attackers to elevate privileges…

11 minutes ago

Why the MITRE ATT&CK Evaluation Is Essential for Security Leaders

In today’s dynamic threat landscape, security leaders are under constant pressure to make informed choices…

14 hours ago

Lazarus Hackers Exploits macOS Extended Attributes To Evade Detection

The xattr command in Unix-like systems allows for the embedding of hidden metadata within files,…

16 hours ago

ProjectSend Authentication Vulnerability Exploited in the Wild

ProjectSend, an open-source file-sharing web application, has become a target of active exploitation following the…

18 hours ago

NVIDIA UFM Vulnerability Leads to Privilege Escalation & Data Tampering

NVIDIA has released a critical security update addressing a significant vulnerability in its Unified Fabric…

20 hours ago

Junior School Student Indicted for Infecting Computers With Malware

Fukui Prefectural Police have indicted a 15-year-old junior high school student from Saitama Prefecture for…

23 hours ago