A Bing ad designed to look like a link to install NordVPN leads to an installer for the SecTopRAT remote access Trojan.
Malwarebytes Labs discovered the malicious advertising campaign Thursday, the domain name used for the malicious advertising having been created a day earlier. The URL (nordivpn(.)xyz) was made to look like a legitimate NordVPN domain. The ad link redirects to a website with another typosquatted URL (besthord-vpn(.)com) and a replica of the real NordVPN website.
The scam website’s download button led to a Dropbox containing the NordVPNSetup.exe installer. This executable included both a real NordVPN installer and a malware payload injected into MSBuild.exe and connecting to the attacker’s command and control (C2) server.
The threat actor attempted to digitally sign the malicious executable, but the signature was found to be invalid. However, Jerome Segura, senior threat researcher at Malwarebytes ThreatDown Labs, told SC Media on Friday that he later discovered the executable had a valid code signing certificate.
Segura said that some security products may block the executable due to its invalid signature, but “perhaps the best evasion technique is dynamic process injection where malicious code is injected into a legitimate Windows application.” .
“Finally, it should be noted that the file contains an installer for NordVPN which could very well thwart detection of the entire executable,” Segura added.
The malicious payload, SecTopRAT, also known as ArechClient, is a remote access Trojan (RAT) that has been discovered for the first time by MalwareHunterTeam in November 2019 and shortly after analyzed by G DATA researchers. Researchers discovered that RAT creates a second, “invisible” desktop that allows an attacker to control browsing sessions on the victim’s system.
SecTopRAT is also capable of sending system information, such as system name, username, and hardware information, to the attacker’s C2 server.
Malwarebytes reported the malware campaign to Microsoft, which owns Bing, and Dropbox. Dropbox has since deleted the account storing the malware, and Segura said his team had yet to receive a response from Microsoft as of Friday.
“We noticed that the threat actors updated their infrastructure last night, possibly in response to our report. They are now redirecting victims to a new domain, thenordvpn(.)info, which may indicate that the malvertising campaign is still active, perhaps under a different advertiser identity,” Segura said.
Other malvertising campaigns spreading SecTopRAT have been spotted in the past. In 2021, Ars Technica reported on a campaign which exploited Google advertisements claiming to promote the Brave browser.
Last October, threat actors used a combination of malvertising, search engine optimization (SEO) poisoning, and hacked websites to trick users into installing a fake MSIX Windows application package containing the GHOSTPULSE malware loader. Once installed, GHOSTPULSE uses dual processing to facilitate the execution of multiple malware strains, including SecTopRAT.