Zscaler Threat Hunting observed an SEO poisoning campaign on Bing distributing a signed, trojanized Ivanti Pulse Secure MSI to steal VPN credentials and exfiltrate them to a Microsoft Azure-hosted C2. The campaign uses lookalike domains, referrer-based conditional content delivery, and a credential-stealing DLL that targets connectionstore.dat; detected artifacts include the Ivanti-VPN.msi hash 6e258deec1e176516d180d758044c019 and C2 IP 4.239.95.1. #Ivanti-Pulse-Secure #Akira
Keypoints
- Zscaler detected SEO poisoning on Bing that redirects users searching for Ivanti Pulse Secure to attacker-controlled lookalike domains (e.g., ivanti-pulsesecure[.]com, ivanti-secure-access[.]org).
- The attackers serve a trojanized, signed MSI (Ivanti-VPN.msi, MD5 6e258deec1e176516d180d758044c019) that drops malicious DLLs (dwmapi.dll, pulse_extension.dll).
- The malware locates and parses C:ProgramDataPulse SecureConnectionStoreconnectionstore.dat to extract saved VPN server URIs and combines them with hardcoded credentials for exfiltration.
- Exfiltration is performed via an HTTP POST to a hardcoded C2 at 4.239.95.1:8080 (Microsoft Azure IP range) using the path /income_shit after an XOR-based handshake routine.
- Conditional content delivery based on the HTTP Referrer (Bing) makes the landing page appear benign when visited directly, evading detection and analysis.
- This initial access technique has historically been used to enable reconnaissance, lateral movement, and eventual ransomware deployment (linked to Akira ransomware in prior incidents).
- Zscaler provides detections (Win32_PWS_Agent) and recommends isolation, MFA enforcement, log hunting for outbound connections to 4.239.95.1:8080, domain/URL controls, and user education.
MITRE Techniques
- [T1593] Search Engine Optimization (SEO) Poisoning β Threat actors poisoned Bing search results to surface malicious lookalike domains that lead users to download a trojanized installer. Quote: βThe attack begins when a user searches for keywords such as βIvanti Pulse Secure Downloadβ on a search engine.β
- [T1204] User Execution β Malicious MSI requires user to download and execute the trojanized Ivanti-VPN.msi to deploy payload. Quote: βWhen the MSI is executed, it drops several files, including recently modified malicious DLLs named dwmapi.dll and pulse_extension.dll.β
- [T1036] Masquerading β Use of lookalike domains and a convincing replica of the official download page to impersonate Ivanti. Quote: βthe user is directed to a threat actor-controlled website designed to impersonate the official Ivanti Pulse Secure download page.β
- [T1078] Valid Accounts (credential theft) β Malware extracts saved VPN URIs and combines them with hardcoded credentials to steal access used for later access. Quote: βThe malware constructs a data string that includes the extracted URI along with a hardcoded username and password.β
- [T1573] Encrypted/Obfuscated Channel (obfuscation) β Malware uses an XOR-based deobfuscation routine as part of the handshake before sending data to the C2. Quote: βBefore sending the data, the malware performs a simple XOR-based deobfuscation routine during its handshake with the server.β
- [T1090] Proxy/Server (C2 over legitimate infrastructure) β C2 hosted on Microsoft Azure IP to blend with trusted infrastructure (Living off the Land/Tactics). Quote: βIt establishes a network connection to a hardcoded C2 server at IP address 4.239.95.1 on port 8080. This IP address is part of the Microsoft Azure range.β
Indicators of Compromise
- [File Hash ] trojanized MSI β 6e258deec1e176516d180d758044c019, 32a5dc3d82d381a63a383bf10dc3e337
- [Filename ] malicious installer β Ivanti-VPN.msi
- [IP Address ] C2 server β 4.239.95.1 (listening on port 8080)
- [Domain ] download/hosting domains β netml[.]shop, shopping5[.]shop (used to serve the MSI)
- [Domain ] lookalike phishing domains β ivanti-pulsesecure[.]com, ivanti-secure-access[.]org
- [URL/Path ] download and exfiltration paths β netml[.]shop/get?q=ivanti, shopping5[.]shop/?file=ivanti, C2 path /income_shit
Read more: https://www.zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites