A malicious advertising campaign targets users searching for NordVPN on Microsoft Bing, infecting them with the SecTorRAT malware.
Microsoft Bing is a search engine that has experienced massive growth compared to past years, partly thanks to the rise of the Edge browser, which uses it by default, and also its recently acquired AI capabilities that make it preferable to competitor offerings for some internet users.
The malvertising campaign was discovered by Malwarebytes, that warned about the fraudulent installer and highlighted the well-crafted sites and fake app that deliver the malware payload onto the computers of unsuspecting victims.
Bad NordVPN installer
Searching for “nord vpn” on Bing brings up a malicious ad that is made to appear legitimate. The ad takes users to a fake page on ‘nordivpn.xyz’, which was registered on April 3, 2024.
The freshness of the domain ensures that it has not been added to the blocklists of security products yet, so visitors won’t be served a warning when they visit it. Its name appears authentic at first glance for most users rushing into the installation process.
Users clicking on the link will be redirected to the landing page at besthord-vpn[.]com, which resembles the genuine NordVPN site.
Clicking on the ‘Download App’ button at the bottom of the homepage delivers a file named ‘NordVPNSetup.exe’ to the victim. This file is digitally signed by an invalid certificate made to appear as if it came from the actual vendor.
The deception continues even in the installation and the initialization phase, where the trojanized app generates a NordVPN splash screen and login page while injecting a SecTopRAT process into the MSBuild.exe process in the background.
SecTopRAT is a remote access trojan first documented in 2019. It enables attackers to access the infected machine in real-time, open the web browser, perform keyboard and mouse actions, and more. In 2021, the RAT’s developers added encryption in the malware’s communication with the command and control server to protect it from network traffic monitoring tools.
Although the particular malware family doesn’t hit the news spotlight often, the malware continues circulating in the wild, as the latest NordVPN malvertising campaign has proven. Also, considering that it’s been a while since analysts have dissected SecTopRAT, it’s not unlikely that considerable improvements and new features have been implemented in its latest versions.
For a complete overview of the NordVPN product, limited time offers, and safe links to download a clean installer for your platform, check out our NordVPN review.