Attackers exploited Bing Chat ads to push users toward malware-laden sites, combining malvertising with phishing-style landing pages. The campaign used a malicious MSI installer and a remote C2 to deliver and fetch payloads after users attempted to download software, illustrating a multi-step delivery chain within a chat-based search experience. Hashtags: #BingChat #Malvertising #AdvancedIPScanner #MyCase #65.21.119.59
Keypoints
- Bing Chat ads can appear in-line and may display an ad before organic results when users hover over links.
- An attacker hijacked a legitimate Australian businessβs ad account to create two malicious ads targeting Advanced IP Scanner and MyCase lawyers.
- Clicking the first link redirects to a phishing site designed to filter victims and direct them to fake or decoy pages.
- Real humans are redirected to a fake site that imitates the official software while others see a decoy page.
- The MSI installer includes three files, only one of which is malicious and is heavily obfuscated.
- The malicious MSI script reaches out to an external IP (65.21.119[.]59) to announce itself and receive a payload.
- Threat actors continue using search ads to funnel users to malicious sites hosting malware.
MITRE Techniques
- [T1189] Drive-by Compromise β Ads can be inserted into a Bing Chat conversation in various ways. One of those is when a user hovers over a link and an ad is displayed first before the organic result. βAds can be inserted into a Bing Chat conversation in various ways. One of those is when a user hovers over a link and an ad is displayed first before the organic result.β
- [T1566.002] Phishing β Spearphishing Link β Upon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers. βUpon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers.β
- [T1027] Obfuscated/Compressed Files β The MSI installer contains three different files but only one is malicious and is a heavily obfuscated script. βThe MSI installer contains three different files but only one is malicious and is a heavily obfuscated script.β
- [T1105] Ingress Tool Transfer β The malicious script reaches out to an external IP address (65.21.119[.]59) presumably to announce itself and receive an additional payload. βUpon execution, the script reaches out to an external IP address (65.21.119[.]59) presumably to announce itself and receive an additional payload.β
- [T1071.001] Web Protocols β The script communicates with a remote IP to receive an additional payload, indicating C2 activity over web protocols. βThe MSI installer contains three different files but only one is malicious and is a heavily obfuscated script.β
Indicators of Compromise
- [Domain] Ad landing and phishing domains β mynetfoldersip[.]cfd, advenced-ip-scanner[.]com
- [IP] Command-and-control or download beacon β 65.21.119[.]59
- [Hash] Malicious MSI file hash β ca83b930c2b34a167a39dc04c7917b9f360a95586bce45842868af6b9ad849a2