In February 2023, Microsoft unveiled its latest innovation, Bing Chat, a revolutionary AI-powered search engine developed in collaboration with OpenAI’s GPT-4. Despite Google’s long-standing dominance in the search industry, this launch garnered substantial attention, sparking discussions about potential shifts in the future landscape.
Given that tech giants primarily rely on advertising for revenue, Microsoft’s decision to incorporate ads into Bing Chat shortly after its debut was not unexpected. However, online advertisements come with inherent risks. In this article, we delve into how individuals searching for software downloads can inadvertently expose themselves to malicious websites and unwittingly install malware through Bing Chat conversations.
The World of Malvertising Through Bing Chat
Bing Chat is a dynamic text and image-based application that offers a unique online search experience. After just six months of being made available to the public, Microsoft celebrated the remarkable achievement of engaging users in over one billion chat interactions.
Ads can infiltrate Bing Chat conversations through various means. One notable method involves displaying an ad when a user hovers their cursor over a link, preempting the organic search results. In the following example, we inquired about where to download a program called Advanced IP Scanner, a tool commonly used by network administrators. As we placed our cursor over the initial sentence, a dialog box appeared, showcasing an advertisement, with the official program website listed just below:
Users are presented with the option to visit either of the two links, though the initial link might have a higher likelihood of being clicked due to its prominent position. Despite the presence of a small ‘Ad’ label next to this link, it could easily be overlooked, leading users to perceive it as a regular search result.
Phishing Site Distributing Malware
Upon clicking the first link, users are redirected to a website (mynetfoldersip[.]cfd) designed to filter incoming traffic and distinguish genuine users from bots, sandboxes, or security researchers. This is accomplished by scrutinizing factors such as the user’s IP address, time zone, and various system settings, including web rendering characteristics that can identify virtual machines.
For authentic human users, a subsequent redirection leads to a counterfeit website (advenced-ip-scanner[.]com) that closely mimics the official site. On the other hand, other visitors are rerouted to a decoy page. The next critical step involves victims downloading what appears to be an installer and executing it.
Within the MSI installer, you’ll discover three distinct files, but only one of them harbors malicious intent—a heavily obfuscated script.
Upon execution, the script establishes a connection with an external IP address (65.21.119[.]59), presumably for the purpose of announcing its presence and potentially receiving an additional payload.
The Evolution of Search and the Persistent Malicious Ad Trend
Threat actors persist in exploiting search ads to redirect users to websites hosting malicious software. While Bing Chat offers a unique search experience, it also displays some of the same ads that users encounter during a conventional Bing search.
In this specific instance, a malicious actor compromised the advertising account of a legitimate Australian business, creating two malicious ads. One of these ads targeted network administrators searching for an “Advanced IP Scanner,” while the other focused on lawyers looking for a “MyCase law manager”:
Regrettably, Malwarebytes was unable to uncover the ultimate payload for this malware campaign, leaving the nature of the installed malware unclear.
Nevertheless, in analogous campaigns, threat actors typically disseminate information-stealing malware or remote access trojans, affording them the capability to breach additional accounts or corporate networks.
The presence of malicious advertising within Bing Chat conversations underscores the ever-expanding landscape of cyber threats. This underscores the importance of user caution when interacting with chatbot results and emphasizes the necessity of thoroughly verifying URLs before proceeding with any downloads.