Diving into details
The ad appears completely legitimate at first glance, featuring both the Webex logo and the official website. However, if you click on the menu to the right of the ad, you’ll find additional details that reveal the advertiser to be an individual from Mexico, which is highly unlikely to be associated with Cisco.
- The threat actors take advantage of a weakness in Google Ads known as the tracking template. According to Google, the tracking template is a place where URL tracking information is placed, offering advertisers valuable metrics. Nevertheless, researchers find that it can also be exploited as a filtering and redirection mechanism.
- The MSI installer is equipped with anti-sandbox features and will only run in specific environments. It initiates multiple processes, including PowerShell, and installs BatLoader from a local source. BatLoader, in turn, drops DanaBot.
It should be noted that Webex itself has not been compromised; instead, threat actors are impersonating reputable brands to deploy malware.
Some latest malvertising campaigns
- Days ago, researchers discovered a new malvertising campaign using Microsoft Teams messages to distribute the DarkGate Loader. The campaign started in August.
- A new version of the Atomic macOS Stealer (AMOS) malware, targeting macOS users, was discovered in a malvertising campaign that tricks users searching for software on Google. It was being distributed through cracked software for the TradingView app.
The bottom line
Malvertising remains a persistent threat, primarily targeting corporate users, often exploiting popular search engines like Google. Malware such as BatLoader operate covertly and might evade detection by conventional antivirus programs. An all-encompassing defense strategy, such as pairing EDR with an MDR service, featuring human analysts who analyze suspicious activities, should be implemented.