Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much _not_ the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

****Why data matters** **

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

****Digitally safe** **

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.

 Introducing the Digital Footprint Portal 

The Change Healthcare ransomware attack as suffered a third cruel twist.

The Change Healthcare ransomware attack has taken a third cruel twist. A new ransomware group, RansomHub, has listed the organisation as a victim on its dark web leak site, saying it has 4 TB of “highly selective data,” which relates to “all Change Health clients that have sensitive data being processed by the company.”

The announcement follows a series of events that require some unpacking.

Change Healthcare is one of the largest healthcare technology companies in the USA, responsible for the flow of payments between payers, providers, and patients. It was attacked on Wednesday February 21, 2024, by a criminal “affiliate” working with the ALPHV ransomware group, which led to huge disruptions in healthcare payments. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on.

American Hospital Association (AHA) President and CEO Rick Pollack described the attack as “the most significant and consequential incident of its kind against the US health care system in history.”

The notorious ALPHV ransomware group claimed responsibility, chalking up Change Healthcare as one of a raft of healthcare victims in what looked like a deliberate campaign against the sector at the start of 2024.

ALPHV used the ransomware-as-a-service (RaaS) business model, selling the software and infrastructure used to carry out ransomware attacks to criminal gangs known as affiliates, in return for a share of the ransoms they extorted.

On March 3, a user on the RAMP dark web forum claimed they were the affiliate behind the attack, and that ALPHV had stolen the entirety of a $22 million ransom paid by Change Healthcare. Shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the group’s website had been seized by the FBI.

ALPHV’s exit left Change Healthcare with nothing to show for its $22 million payment, a disgruntled affiliate looking for a ransom, and very possibly two different criminal gangs—ALPHV and its affiliate—in possession of a huge trove of stolen data.

Now, a month later, a newcomer ransomware group, RansomHub has listed Change Healthcare as a victim on its website.

Change Healthcare is listed as a victim on the RansomHub dark web leak site

While some have speculated that Change Healthcare has suffered a second attack, the RansomHub site itself makes the connection to the events surrounding February 21 quite clear:

> As an introduction we will give everyone a fast update on what happened previously and on the current situation.
> 
> ALPHV stole the ransom payment (22 Million USD) that Change Healthcare and United Health payed in order to restore their systems and prevent the data leak.
> 
> HOWEVER we have the data and not ALPHV.

RansomHub first appeared in late February and its arrival dovetails neatly with ALPHV’s disappearance in very early March, leading some to think they are the same group under two different names.

The statement also pours water on the idea that RansomHub is a rebrand of the ALPHV group with its suggestion that “we have the data and not ALPHV.” However, any public statement like this has to be tempered by the fact that ransomware groups are prolific liars.

It’s not uncommon for affiliates to work with multiple RaaS providers, so the most likely explanation is that having lost its money to ALPHV, the affiliate that ransacked Change Healthcare has paired up with a different ransomware group.

Whatever the reason, there is no comfort in it for Change Healthcare. Having apparently already paid a ransom thirty times greater than the average demand, it now has to decide whether it’s going to pay out again.

For everyone else, it’s a lesson in how devastating ransomware can be, and how badly things can go even when you pay a ransom.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 New ransomware group demands Change Healthcare ransom 

Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate.

In the past couple of weeks, we have observed an ongoing campaign targeting system administrators with fraudulent ads for popular system utilities. The malicious ads are displayed as sponsored results on Google’s search engine page and localized to North America.

Victims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer. Nitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.

We have reported this campaign to Google but no action has been taken yet. This blog post aims to share the tactics, techniques and procedures (TTPs) as well as indicators of compromise (IOCs) so defenders can take action.

**Step 1: Luring victims in via malicious ads**

The initial intrusion starts from a malicious ad displayed via Google search. We have observed several different advertiser accounts which were all reported to Google. The lures are utilities commonly used by IT admins such as PuTTY and FileZilla.

Online ads from search engine result pages are increasingly being used to deliver malware to corporate users. ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent such malvertising attacks:

**Step 2: Directing users to lookalike sites**

The malvertising infrastructure deployed by Nitrogen threat actors uses a cloaking page that can either redirect to a decoy site or the infamous Rick Astley video. The redirect to a decoy page can be activated if the campaign is not weaponized yet or if the malicious server detects invalid traffic (bot, crawler, etc.).

The Rick Astley redirect is mostly to mock security researchers investigating this campaign:

Actual lookalike pages are meant for potential victims. They are often good-looking copycats which could easily fool just about anyone:

ThreatDown blocks these malicious websites to prevent your users from being social-engineered into downloading malware:

**Step 3: Deploying malware via a fraudulent installer**

The final step in this malvertising chain consists of downloading and running the malware payload. Nitrogen uses a technique known as DLL sideloading whereby a legitimate and signed executable launches a DLL. In this case, _setup.exe_ (from the Python Software Foundation) sideloads _python311.dll_ (Nitrogen).

ThreatDown via its EDR engine quarantines the malicious DLL immediately. System administrators can log into their console and use the AI-assisted engine to quickly search and review the detection:

**Recommendations**

While there are many phishing training simulations for email threats, we aren’t aware of similar trainings for malvertising. Yet, the threat has become prevalent enough to warrant better user education.

Endpoints can be protected from malicious ads via group policies that restrict traffic coming from the main and lesser known ad networks. Click here for more information about DNS filtering via our Nebula platform.

Endpoint Detection and Response (EDR) is a cornerstone in your security posture, complemented by Managed Detection and Response (MDR) where analysts can quickly alert you of an impending intrusion.

**Indicators of Compromise**

Cloaking domains:

kunalicon\[.\]com  
inzerille\[.\]com  
recovernj\[.\]com

Lookalike sites:

file-zilla-projectt\[.\]org  
puuty\[.\]org  
pputy\[.\]com  
puttyy\[.\]ca

Nitrogen payloads (URLs):

amplex-amplification\[.\]com/wp-includes/FileZilla\_3.66.1\_win64.zip  
newarticles23\[.\]com/wp-includes/putty-64bit-0.80-installer.zip  
support\[.\]hosting-hero\[.\]com/wp-includes/putty-64bit-0.80-installer.zip  
mkt.geostrategy-ec\[.\]com/installer.zip

Nitrogen payloads (SHA256):

ecde4ca1588223d08b4fc314d6cf4bce82989f6f6a079e3eefe8533222da6281
2037ec95c91731f387d3c0c908db95184c93c3b8412b6b3ca3219f9f8ff60945
033a286218baca97da19810446f9ebbaf33be6549a5c260889d359e2062778cf

Nitrogen C2s:

94.156.65\[.\]98  
94.156.65\[.\]115

 Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla 

A man has pleaded guilty to assuming someone else's identity for 35 years.

Sometimes the consequences of a stolen identity exceed anything you could have imagined.

Matthew David Keirans, a 58-year-old former hospital employee has pleaded guilty to assuming another man’s identity since 1988. He was convicted of one count of making a false statement to a National Credit Union Administration insured institution and one count of aggravated identity theft.

The man whose identity he assumed—William Donald Woods—and Keirans worked together in 1988 at a hot dog cart in Albuquerque.

Keirans was wanted for theft, so he used Woods’ identity “in every aspect of his life,” including obtaining employment, insurance and official documents, and even paying taxes under Wood’s name, according to a plea agreement signed by Keirans. He even fathered a child, whose last name is Woods.

In 1990, Keirans obtained a fraudulent Colorado identification card with Woods’ name and birthday. He used the ID to get a job at a fast-food restaurant and to get a Colorado bank account. He bought a car for $600 in 1991, using Wood’s name, with two $300 checks that bounced.

It wasn’t the first time Keirans had committed car theft. When he was 16, he stole a car after running away from his adoptive parents’ home in San Francisco.

In 2012, Keirans fraudulently acquired a copy of Woods’ birth certificate from the state of Kentucky using information he found about Woods’ family on Ancestry.com.

Under the assumed identity, Keirans also worked as a systems architect for the University of Iowa Hospital where he was fired for misconduct related to the identity theft investigation.

Meanwhile, the real William Woods was homeless and living in Los Angeles, when he discovered that someone was using his credit and had accumulated a lot of debt. Woods didn’t want to pay the debt and so went after the account numbers for any accounts he had open so he could close them. He handed a bank employee his real Social Security card and an authentic California Identification card, which matched the information the bank had on file. But because there was a large amount of money in the accounts, the bank employee asked Woods a series of security questions that he was unable to answer.

At that point, the bank employee called Keirans, whose phone number was associated with the accounts. He was able to answer the security questions correctly and stated that no one in California should have access to the accounts.

So, the bank employee called the police and after an investigation, the real Woods was arrested and charged with identity theft and false impersonation, under a misspelling of Keirans’ name: Matthew Kierans.

Because Woods refused to give up his own identity, a judge ruled in February 2020 that he was not mentally competent to stand trial and he was sent to a mental hospital in California, where he received psychotropic medication and other mental health treatment.

For legal reasons, Woods pleaded no contest to the identity theft charges—meaning he accepted the conviction but did not admit guilt—and was sentenced to two years imprisonment with credit for the two years he already served in the county jail and the hospital and was released.

But he didn’t give up his fight for his identity even though the judge ordered him to stop using the name William Woods. He attempted to regain his identity by filing customer disputes with financial organizations to clear his credit report.

It wasn’t until a police detective tested Woods’ biological father’s DNA against Woods’ DNA. Both men had the same birth certificate with the father’s name on it. The DNA test proved Woods was the man’s son. During a follow-up interview Keirans made a mistake and eventually confessed to the prolonged identity theft, according to court documents.

Keirans was indicted on five counts of making a false statement to a National Credit Union Administration insured institution and two counts of aggravated identity theft. He pleaded guilty to one count of each charge, and the other counts were dropped.

A sentence ruling has not yet been scheduled. Keirans is currently in the custody of the US Marshals Service, according to a news release about his plea.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 35-year long identity theft leads to imprisonment for victim 

This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

_This week on the Lock and Code podcast…_

A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site.

In March, PornHub blocked access to visitors connecting to its website from Texas. It marked the second time in the past 12 months that the porn giant shut off its website to protest new requirements in online age verification.

The Texas law, which was signed in June 2023, requires several types of adult websites to verify the age of their visitors by either collecting visitors’ information from a government ID or relying on a third party to verify age through the collection of multiple streams of data, such as education and employment status.

PornHub has long argued that these age verification methods do not keep minors safer and that they place undue onus on websites to collect and secure sensitive information.

The fact remains, however, that these types of laws are growing in popularity.

Today, Lock and Code revisits a prior episode from 2023 with guest Alec Muffett, discussing online age verification proposals, how they could weaken security and privacy on the internet, and whether these efforts are oafishly trying to solve a societal problem with a technological solution.

“The battle cry of these people have has always been—either directly or mocked as being—’Could somebody think of the children?’” Muffett said. “And I’m thinking about the children because I want my daughter to grow up with an untracked, secure private internet when she’s an adult. I want her to be able to have a private conversation. I want her to be able to browse sites without giving over any information or linking it to her identity.”

Muffett continued:

> “I’m trying to protect that for her. I’d like to see more people grasping for that.”
> 
> Alec Muffett

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08 

A list of topics we covered in the week of April 1 to April 7 of 2024

April 8, 2024 - This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

April 7, 2024 - In a recent US Chamber of Commerce poll, small businesses identified cybersecurity as their biggest concern.

April 5, 2024 - Resaerchers found that 90% of websites were in violation of one or more privacy regulations concerning cookie consent.

April 4, 2024 - Jackson County has suffered "significant disruptions within its IT systems," and its offices are closed.

April 3, 2024 - Google has issued patches for 28 security vulnerabilities, including a critical patch for Androids with Qualcomm chips.

 A week in security (April 1 &#8211; April 7) 

In a recent US Chamber of Commerce poll, small businesses identified cybersecurity as their biggest concern.

According to a recent poll by the US Chamber of Commerce, 60% of small businesses are concerned about cybersecurity threats, and 58% are concerned about a supply chain breakdown.

Not surprisingly, small businesses in the professional services sector feel significantly more concerned about cybersecurity threats than those in manufacturing or services, but the poll explains that they also feel more prepared to handle them.

> “The small businesses most concerned about cybersecurity threats include businesses with 20-500 employees (74%) and businesses in the professional services industry (71%). On the other hand, small businesses that are least likely to say they are prepared for cyber threats include businesses in the manufacturing sector (61%), female-owned businesses (68%), and businesses in average health (64%).”

Services businesses are right to be concerned. The most serious cyberthreat faced by organizations is ransomware, and on any given month, in almost any country, the services sector is the one hardest hit by ransomware.

However, while the services sector suffers more attacks than manufacturing, the difference has been steadily narrowing, so that it is almost insignificant

Known ransomware attacks by industry sector, February 2024

Small businesses are not sitting on their hands though. 49% say they have trained staff on cybersecurity measures in the past year, 23% think they are “very prepared” to handle cyberthreats, and 50% feel “somewhat prepared.”

It’s no surprise that small businesses are concerned—they have limited resources, and yet they need to be ready to fight off the same sophisticated criminal gangs as the biggest enterprises.

And, as you can read in our 2024 State of Malware report, cybercriminals continue to evolve their tactics. They like to use social engineering, and vulnerabilities in internet-connected devices and services, rather than old-fashioned malware to infiltrate systems and networks. And once they’ve broken in to a company network, they are increasingly turning to legitimate tools instead of malware to carry out their attacks, a tactic known as living-off-the-land (LOTL)

This requires a different approach and security solutions capable of dealing with these threats.

**We don’t just report on threats—we block and remove them.**

ThreatDown can help small business to be secure. Choose the ThreatDown bundle that’s right for your organization.

 60% of small businesses are concerned about cybersecurity threats 

Resaerchers found that 90% of websites were in violation of one or more privacy regulations concerning cookie consent.

In news that is, sadly, unlikely to shock you, new research indicates that many websites ignore visitors’ choices to refuse cookies and collect their data anyway.

Researchers at the University of Amsterdam (UvA) analyzed 85,000 European websites and came to the conclusion that 90% of them violated at least one privacy regulation.

Image courtesy of UvA

Cookies are bits of data that websites save on your computer when you look at a page, view an image, download a file, or interact with them in any other way. Cookies help websites remember you, which is often useful, particularly if you are logging in to a website, but they can also be used for things that some users don’t like, such as tracking. Tracking cookies are used by marketers to target you with ads that may interest you based on your browsing habits.

Working with researchers from Swiss university ETH Zürich, the team from UvA created a machine-learning tool that allowed them to analyze 100,000 websites. The main goal was to compare what information websites said they would gather with what they actually did. The researchers found an enormous number of privacy violations.

To make the data a bit more insightful, they discriminated between “naive” violations and deliberate violations.

Naive violations are things like not offering a choice to reject cookies (affecting 57% of sites), and forgetting to ask for permission to store cookies (which occurred on 32% of websites visited by Europeans). Forgetting to ask for permission, or making it very hard to reject cookies, is very easy to spot, yet several major website owners have already been fined for violations like this.

But then we enter the realm of deliberate privacy violations. Of the websites that offered visitors a choice, 65% used tracking cookies, even if visitors chose to reject them. In many cases, websites created the cookies even before the visitor had the chance to make their choice.

More than 77% of the websites chose to interpret closing a cookie notification dialog as user consent.

On top of this, many websites also used so-called “dark patterns” to manipulate visitors into making the site’s preferred choice. Dark patterns, also known as deceptive design patterns, occur when a user interface has been crafted to nudge or trick users into doing things they didn’t set out to do.

Dark patterns are not subliminal messaging or visual or auditory stimuli that the conscious mind cannot perceive, although advertisers have been accused of using those as well. It’s more like making the accept button bright and easy to find and the reject button dark, smaller, or harder to read.

The researchers came to the conclusion that the way the cookie consent system is working is far from satisfactory. Small websites don’t have the technical and legal knowledge to comply, and some others are simply choosing to ignore or bend the rules.

And warnings to website owners seem to fall on deaf ears. Since March 31, 2021, when the deadline set for websites and mobile applications to comply with the new rules on cookies expired, the French privacy watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) has adopted nearly 100 corrective measures (orders and sanctions) related to non-compliance with the legislation on cookies.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Cookie consent choices are just being ignored by some websites 

Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan.

Most of the malicious search ads we have seen have originated from Google, but threat actors are also abusing other search engines. Microsoft Bing is probably the second best target due to its close ties to the Windows ecosystem and Edge browser.

In this blog post, we look at a very recent malvertising campaign impersonating the popular VPN software NordVPN. A malicious advertiser is capturing traffic from Bing searches and redirecting users to a decoy site that looks almost identical to the real one.

The threat actors went ever further by trying to digitally sign a malicious installer and hosting it on Dropbox. Victims will have the impression they are getting NordVPN as it is part of the package, but will also inadvertently install a Remote Access Trojan known as SecTopRAT on their computer.

We have reported the malicious Bing ad to Microsoft, and other parts of the distribution infrastructure to their respective provider. We want to reiterate that NordVPN is a legitimate VPN provider and they are being impersonated by threat actors.

**Fraudulent Bing ad**

When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN. The ad itself looks suspicious because of the URL in the ad snippet. The domain name _nordivpn\[.\]xyz_ was created one day ago (April 3, 2024). It was probably chosen as it looks quite similar to the official name and can deceive users who aren’t looking too closely.

As we often see, the ad URL is simply used as a redirection mechanism to a fake website that is meant to look identical to the one being impersonated. This is true here as well, where we have a redirect to _besthord-vpn\[.\]com_ (note again the spelling chosen with the ‘_h_‘ looking like an ‘_n_‘) which was created today, only a few hours ago.

The website looks incredibly convincing, and victims will be tricked into downloading the app from there. Unlike the legitimate NordVPN that goes through a sign up process, here you can directly download the installer from Dropbox.

Here’s a summary of the traffic flow from the malicious ad to the download link:

**Malware payload**

The downloaded file is called _NordVPNSetup.exe_ and is digitally signed, as if it was from its official vendor; however, the signature is not valid.

The file contains both an installer for NordVPN and a malware payload. The installer for NordVPN is meant to give victims the illusion that they are actually installing a real file.

The payload is injected into _MSBuild.exe_ and will connect to the malware author’s command and control server at 45.141.87\[.\]216 on port 15647.

That network traffic is detected by Emerging Threats as Arechclient2 Backdoor, an alias for SecTopRAT.

**Conclusion**

Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads. Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.

ThreatDown customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

The malicious ad and related indictors have been reported as we work with industry partners to take down this campaign.

**Indicators of Compromise**

Malicious domains

nordivpn\[.\]xyz  
besthord-vpn\[.\]com

Fake NordVPN installer

e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc

SecTopRAT C2

45.141.87\[.\]216

Source

Malwarebytes