NordVPN Impersonators Exploit Bing Ads to Spread SecTopRAT Malware

SecTopRAT
Image:

In yet another instance highlighting the dangers of malvertising, the popular VPN service NordVPN has become the latest target of cybercriminals. Security researchers at Malwarebytes have discovered a sophisticated campaign misusing Bing search ads to lure users into downloading a malware-laden installer disguised as NordVPN.

The Scheme

SecTopRAT

Image: Malwarebytes 

  • Threat actors purchase malicious Bing search ads designed to appear for queries like “nord vpn.”
  • The ads lead to a convincing, near-identical copy of the NordVPN website.
  • Unsuspecting users are then prompted to download an installer directly from Dropbox.
  • This “NordVPNSetup.exe” file, while appearing digitally signed, carries a hidden payload – the SecTopRAT Remote Access Trojan (RAT).

Modus Operandi

  1. Along with a legitimate NordVPN installer (likely to maintain the illusion), the malicious installer injects the SecTopRAT malware into MSBuild.exe, a component of the Microsoft development framework.
  2. Upon execution, the RAT establishes a connection to the attacker’s command-and-control (C2) server, enabling extensive control over the infected system.

SecTopRAT Capabilities

The SecTopRAT malware is a potent tool in the cybercriminal arsenal. It allows threat actors to:

  • Steal sensitive data and files
  • Deploy additional malware
  • Monitor keystrokes and online activity
  • Remotely control the compromised machine

Mitigation and Protection

Malwarebytes has taken proactive steps by reporting the malicious Bing ads to Microsoft and working with other industry players to dismantle this campaign. Here’s what individuals and organizations can do:

  • Scrutinize URLs: Exercise extra vigilance when clicking on search ads. Look for subtle misspellings and odd domains that attempt to mimic legitimate brands.
  • Direct Downloads Only: Always download software directly from official, verified vendor websites.
  • Robust Endpoint Security: Implement a layered security solution including antivirus, anti-malware, and intrusion detection systems.
  • DNS Filtering: Employ tools like ThreatDown to block malicious ads at the network level.