A recent campaign employs SEO poisoning on Bing to distribute a trojanized Ivanti Pulse Secure VPN client. Attackers use lookalike domains to host fake download pages, tricking users into installing a malicious MSI file. The trojan targets the connectionstore.dat file to steal VPN credentials, which are then exfiltrated to a C2 server on Azure infrastructure. This technique has been linked to Akira ransomware deployments in the past. The attack leverages signed executables and referrer-based conditional content delivery to evade detection. Organizations are advised to implement MFA, educate users, and monitor for suspicious activities to mitigate risks. Author: AlienVault
Related Tags:
trojanized installer
akira ransomware
T1078.004
T1553.002
T1102.001
T1036.005
T1204.001
T1132.001
T1056.001
Associated Indicators:
6E258DEEC1E176516D180D758044C019
32A5DC3D82D381A63A383BF10DC3E337
shopping5.shop
ivanti-pulsesecure.com
ivanti-secure-access.org
netml.shop
http://shopping5.shop/?file=ivanti
http://netml.shop/get?q=ivanti