Date: 01/23/2025
Severity: Medium
Summary
"Malicious Ads on Bing Search Lead to Malware" highlights a campaign where malicious Bing search ads direct users to fake pages, such as a counterfeit Microsoft Teams site. The activity was observed and replicated on January 22, 2025, with additional ads leading to impersonated software programs. These ads are short-lived and often use domains like burleson-appliance[.]net, registered on January 20, 2025. The files involved in the campaign are typically not malicious on their own but depend on other files to enable successful infections. IP addresses and domains change frequently, with the snapshot data taken on January 22, 2025, at 21:37 UTC.
Indicators of Compromise (IOC) List
URL/Domain | https://www.bing.com/aclk?ld=e8PH8aLxSiJxjw4Si9lgLztzVUCUwCJ7LeV4z4DsU61Sx3HWK9X1fxNGVCWc4jKyspIeWPFeqVejCDavG1lRWD4Ukf127WLw1hUPnGntv_1Y1z30t5JNXJyKZ986BV2aP3kDwSnS0DDaXYX4hQcab6syHfzjtxZLUNJD5oG8MEhJwV-_N_vpfcrfaGeRQCbjbYwL3zeQ&u=aHR0cHMlM2ElMmYlMmZtaWNyb3NvZnQtdGVhbXMtZG93bmxvYWQuYnVybGVzb24tYXBwbGlhbmNlLm5ldCUzZm1zY2xraWQlM2Q5ZTYxNDgwMjZjMzIxNTJlM2ZkYzJmOTMwZDQ5MjNiYw&rlid=9e6148026c32152e3fdc2f930d4923bc&ntb=1 https://microsoft-teams-download.burleson-appliance.net/?msclkid=9e6148026c32152e3fdc2f930d4923bc http://5.252.153.241/api/file/get-file/264872 http://5.252.153.241/api/file/get-file/29842.ps1 http://5.252.153.241/8182020 http://5.252.153.241/api/file/get-file/TeamViewer http://5.252.153.241/api/file/get-file/Teamviewer_Resource_fr http://5.252.153.241/api/file/get-file/TV http://5.252.153.241/api/file/get-file/pas.ps1 http://5.252.153.241/8182020?k=message%20=%20startup%20shortcut%20created;%20%20status%20=%20success; http://5.252.153.241/8182020?k=script:%20RunRH,%20status:%20OK,%20message:%20PS%20process%20started https://microsoft.teams-live.com/en/index.html?msclkid=9e6148026c32152e3fdc2f930d4923bc https://microsoft.teams-live.com/en/download.php |
IP Address | 45.125.66.32 82.221.136.26 |
Hash |
4bed34b1cd5663a5a857b3bbf81cc5413c61cb561e9a90067b57da08b01ae70b
a833f27c2bb4cad31344e70386c44b5c221f031d7cd2f2a6b8601919e790161e
9634ecaf469149379bba80a745f53d823948c41ce4e347860701cbdff6935192
904280f20d697d876ab90a1b74c0f22a83b859e8b0519cb411fda26f1642f53e
3448da03808f24568e6181011f8521c0713ea6160efd05bff20c43b091ff59f7
fd045fcede68ce2fda2531a9dd28f407aab0f29b3dd3c86e017172abee93386c |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "https://www.bing.com/aclk?ld=e8PH8aLxSiJxjw4Si9lgLztzVUCUwCJ7LeV4z4DsU61Sx3HWK9X1fxNGVCWc4jKyspIeWPFeqVejCDavG1lRWD4Ukf127WLw1hUPnGntv_1Y1z30t5JNXJyKZ986BV2aP3kDwSnS0DDaXYX4hQcab6syHfzjtxZLUNJD5oG8MEhJwV-_N_vpfcrfaGeRQCbjbYwL3zeQ&u=aHR0cHMlM2ElMmYlMmZtaWNyb3NvZnQtdGVhbXMtZG93bmxvYWQuYnVybGVzb24tYXBwbGlhbmNlLm5ldCUzZm1zY2xraWQlM2Q5ZTYxNDgwMjZjMzIxNTJlM2ZkYzJmOTMwZDQ5MjNiYw&rlid=9e6148026c32152e3fdc2f930d4923bc&ntb=1" or url like "https://www.bing.com/aclk?ld=e8PH8aLxSiJxjw4Si9lgLztzVUCUwCJ7LeV4z4DsU61Sx3HWK9X1fxNGVCWc4jKyspIeWPFeqVejCDavG1lRWD4Ukf127WLw1hUPnGntv_1Y1z30t5JNXJyKZ986BV2aP3kDwSnS0DDaXYX4hQcab6syHfzjtxZLUNJD5oG8MEhJwV-_N_vpfcrfaGeRQCbjbYwL3zeQ&u=aHR0cHMlM2ElMmYlMmZtaWNyb3NvZnQtdGVhbXMtZG93bmxvYWQuYnVybGVzb24tYXBwbGlhbmNlLm5ldCUzZm1zY2xraWQlM2Q5ZTYxNDgwMjZjMzIxNTJlM2ZkYzJmOTMwZDQ5MjNiYw&rlid=9e6148026c32152e3fdc2f930d4923bc&ntb=1" or userdomainname like "https://microsoft-teams-download.burleson-appliance.net/?msclkid=9e6148026c32152e3fdc2f930d4923bc" or url like "https://microsoft-teams-download.burleson-appliance.net/?msclkid=9e6148026c32152e3fdc2f930d4923bc" or userdomainname like "http://5.252.153.241/api/file/get-file/264872" or url like "http://5.252.153.241/api/file/get-file/264872" or userdomainname like "http://5.252.153.241/api/file/get-file/29842.ps1" or url like "http://5.252.153.241/api/file/get-file/29842.ps1" or userdomainname like "http://5.252.153.241/8182020" or url like "http://5.252.153.241/8182020" or userdomainname like "http://5.252.153.241/api/file/get-file/TeamViewer" or url like "http://5.252.153.241/api/file/get-file/TeamViewer" or userdomainname like "http://5.252.153.241/api/file/get-file/Teamviewer_Resource_fr" or url like "http://5.252.153.241/api/file/get-file/Teamviewer_Resource_fr" or userdomainname like "http://5.252.153.241/api/file/get-file/TV" or url like "http://5.252.153.241/api/file/get-file/TV" or userdomainname like "http://5.252.153.241/api/file/get-file/pas.ps1" or url like "http://5.252.153.241/api/file/get-file/pas.ps1" or userdomainname like "http://5.252.153.241/8182020?k=message%20=%20startup%20shortcut%20created;%20%20status%20=%20success;" or url like "http://5.252.153.241/8182020?k=message%20=%20startup%20shortcut%20created;%20%20status%20=%20success;" or userdomainname like "http://5.252.153.241/8182020?k=script:%20RunRH,%20status:%20OK,%20message:%20PS%20process%20started" or url like "http://5.252.153.241/8182020?k=script:%20RunRH,%20status:%20OK,%20message:%20PS%20process%20started" or userdomainname like "https://microsoft.teams-live.com/en/index.html?msclkid=9e6148026c32152e3fdc2f930d4923bc" or url like "https://microsoft.teams-live.com/en/index.html?msclkid=9e6148026c32152e3fdc2f930d4923bc" or userdomainname like "https://microsoft.teams-live.com/en/download.php" or url like "https://microsoft.teams-live.com/en/download.php" |
Detection Query 2 | dstipaddress IN ("45.125.66.32","82.221.136.26") or ipaddress IN ("45.125.66.32","82.221.136.26") or publicipaddress IN ("45.125.66.32","82.221.136.26") or srcipaddress IN ("45.125.66.32","82.221.136.26") |
Detection Query 3 |
sha256hash IN ("3448da03808f24568e6181011f8521c0713ea6160efd05bff20c43b091ff59f7","fd045fcede68ce2fda2531a9dd28f407aab0f29b3dd3c86e017172abee93386c","4bed34b1cd5663a5a857b3bbf81cc5413c61cb561e9a90067b57da08b01ae70b","a833f27c2bb4cad31344e70386c44b5c221f031d7cd2f2a6b8601919e790161e","9634ecaf469149379bba80a745f53d823948c41ce4e347860701cbdff6935192","904280f20d697d876ab90a1b74c0f22a83b859e8b0519cb411fda26f1642f53e") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-22-IOCs-for-malware-from-fake-Microsoft-Teams-site.txt