A Bing advertisement designed to look like a link to install NordVPN was found to lead to an installer for the remote access trojan SecTopRAT.
Malwarebytes Labs discovered the malvertising campaign on Thursday, with the domain name used for the malicious ad having been created just a day earlier. The URL (nordivpn[.]xyz) was designed to look like a legitimate NordVPN domain. The ad link redirected to a website with another typosquatted URL (besthord-vpn[.]com) and a replica of the real NordVPN website.
The download button on the fraudulent website led to a Dropbox containing the installer NordVPNSetup.exe. This executable included both a real NordVPN installer and a malware payload that is injected into MSBuild.exe and connects to the attacker’s command-and-control (C2) server.
The threat actor attempted to digitally sign the malicious executable, but the signature was found to be invalid. However, Principal Threat Researcher Jérôme Segura of Malwarebytes ThreatDown Labs told SC Media Friday that he later found the executable had a valid code signing certificate.
Segura said some security products may block the executable due to its invalid signature, but, “Perhaps the better evasion technique is the dynamic process injection where the malicious code is injected into a legitimate Windows application.”
“Finally, we should note that the file contains an installer for NordVPN which could very well thwart detection of the whole executable,” Segura added.
The malicious payload, SecTopRAT, also known as ArechClient, is a remote access trojan (RAT) that was first discovered by MalwareHunterTeam in November 2019 and shortly after analyzed by researchers from G DATA. The researchers found that the RAT creates an “invisible” second desktop that enables an attacker to control browser sessions on the victim’s system.
SecTopRAT is also able to send system information, such as system name, username and hardware information, to the attacker’s C2 server.
Malwarebytes reported the malware campaign to both Microsoft, which owns Bing, and Dropbox. Dropbox has since removed the account storing the malware, and Segura said his team had not yet heard back from Microsoft as of Friday.
“We did notice that the threat actors updated their infrastructure last night, perhaps in reaction to our report. They are now redirecting victims to a new domain thenordvpn[.]info which may indicate that the malvertising campaign is still active, perhaps under another advertiser identity,” Segura said.
Other malvertising campaigns spreading SecTopRAT have been spotted in the past. In 2021, Ars Technica reported on a campaign that leveraged Google ads claiming to promote the Brave browser.
Last October, threat actors used a combination of malvertising, search engine optimization (SEO) poisoning and breached websites to trick users into installing a fake MSIX Windows app package that contained the GHOSTPULSE malware loader. Once installed, GHOSTPULSE uses process doppelganging to facilitate the execution of multiple malware strains, including SecTopRAT.