Malvertising via a Bing Chat conversation<\/h2>\n
Bing Chat is an interactive text and image application that provides a very different experience for online searches. After six months of it being public, Microsoft celebrated<\/a> user engagement with over one billion chats.<\/p>\n Ads can be inserted into a Bing Chat conversation in various ways. One of those is when a user hovers over a link and an ad is displayed first before the organic result. In the example below, we asked where we could download a program called Advanced IP Scanner used by network administrators. When we place our cursor over the first sentence, a dialog appears showing an ad and the official website for this program right below it:<\/p>\n Users have the choice of visiting either link, although the first one may be more likely to be clicked on because of its position. Even though there is a small ‘Ad’ label next to this link, it would be easy to miss and view the link as a regular search result.<\/p>\n Upon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd<\/em>) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers. It does that by checking your IP address, time zone, and various other system settings such as web rendering that identifies virtual machines.<\/p>\n Real humans are redirected to a fake site (advenced-ip-scanner[.]com<\/em>) that mimics the official one while others are sent to a decoy page. The next step is for victims to download the supposed installer and run it.<\/p>\n The MSI installer contains three different files but only one is malicious and is a heavily obfuscated script:<\/p>\n Upon execution, the script reaches out to an external IP address (65.21.119[.]59<\/em>) presumably to announce itself and receive an additional payload.<\/p>\n Threat actors continue to leverage search ads to redirect users to malicious sites hosting malware. While Bing Chat is a different search experience, it serves some of the same ads seen via a traditional Bing query.<\/p>\n In this case, the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager):<\/p>\n With convincing landing pages, victims can easily be tricked into downloading malware and be none the wiser.<\/p>\n We recommend users pay particular attention to the websites they visit but also use a number of security tools to get additional protection. Malwarebytes provides security software for both consumers<\/a> and businesses<\/a> that includes web protection, ad blocking and malware detection.<\/p>\n This security incident was reported to Microsoft along with a few other related malicious ads.<\/p>\n Ad URL and cloaker<\/p>\n Fake website<\/p>\n Malicious MSI<\/p>\n Script C2<\/p>\n Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.<\/p>\n TRY NOW<\/a><\/p>\n https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/09\/easset_upload_file62622_283930_e.png\")
<\/p>\nPhishing site serves malware<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/09\/easset_upload_file40470_283930_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/09\/easset_upload_file8823_283930_e.png\")
<\/p>\nSearch evolves, malicious ads follow<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/09\/easset_upload_file64907_283930_e.png\")
<\/p>\nIndicators of Compromise<\/h2>\n
mynetfoldersip[.]cfd<\/pre>\n
advenced-ip-scanner[.]com<\/pre>\n
ca83b930c2b34a167a39dc04c7917b9f360a95586bce45842868af6b9ad849a2<\/pre>\n
65.21.119[.]59<\/pre>\n
\n