Hackers have been exploiting Microsoft Bing’s advertising platform to launch a malvertising campaign that impersonates the reputable VPN service NordVPN.
This sophisticated scheme aims to trick users into downloading a Remote Access Trojan (RAT) known as SecTopRAT, which poses security risks.
The campaign was discovered when users searching for “nord vpn” on Bing were presented with a fraudulent ad.
The ad’s URL featured a domain name, nordivpn[.]xyz, registered only a day before its discovery on April 3, 2024.
The domain’s name, intentionally misspelled, is a tactic to deceive users who may not scrutinize the URL closely.
Clicking on the ad redirects users to another deceptive site, besthord-vpn[.]com, also registered recently.
This site is a near-perfect replica of the legitimate NordVPN website, designed to convince visitors of its authenticity.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Unlike the genuine NordVPN, which requires users to sign up, the fake site offers a direct download link for the installer, hosted on Dropbox.
As reported by Malwarebytes, The file named NordVPNSetup.exe is misleadingly digitally signed to appear as if it originates from the official vendor.
However, the signature is fraudulent. The executable contains not only the NordVPN installer but also the SecTopRAT malware.
The malware is designed to inject itself into MSBuild.exe, a legitimate process, and establish a connection to a command and control server located at 45.141.87[.]216 on port 15647.
This traffic pattern is associated with the Arechclient2 Backdoor, another name for SecTopRAT.
Upon discovery, the malicious Bing ad and its associated infrastructure were reported to Microsoft.
Dropbox has taken swift action to remove the malicious download link.
The cybersecurity community, including ThreatDown, is working with industry partners to dismantle this malvertising operation.
Malvertising illustrates the ease with which malware can be distributed using legitimate software.
Threat actors can rapidly deploy infrastructure to evade content filters and target unsuspecting users.
For organizations looking to safeguard against such threats, DNS Filtering is a robust solution.
ThreatDown customers can enable rules to block online ads, significantly reducing the risk of malvertising. This preventative measure can be applied across an organization or tailored to specific areas.
The exploitation of Bing ads to spread malware is a stark reminder of the ever-evolving landscape of cyber threats.
Users must remain vigilant when downloading software and ensure they use official sources.
Organizations should consider implementing additional security measures, such as DNS Filtering, to protect against sophisticated attacks.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware…
In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified as…
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have…
A significant vulnerability has been discovered in the Sliver C2 server, a popular open-source cross-platform…
A significant breakthrough in bypassing Windows activation has been achieved with the introduction of TSforge,…
The AhnLab Security Intelligence Center (ASEC) has uncovered a new cyberattack campaign leveraging the LummaC2…