Google Ads are once again being used to spread malware, this time under the guise of an official Cisco Webex download portal.
The ads for the video conferencing software appear very real, but they only redirect victims to sites that contain the BatLoader and DanaBot malware.
Security firm Malwarebytes found that the campaign was ongoing for a week and appears to be the work of attackers based in Mexico. The malicious ad was ranking in the top spot on Google for the search term "Webex".
Bad Webex
The advertisement is so compelling as it uses the real Webex logo and URL, webex.com, as the link. It makes use of an exploit in tracking templates that allows threat actors to redirect links to wherever they want.
Even though Google requires that the URL displayed by an ad must belong to the same domain as the final URL destination that a user is taken to, the tracking template can be used to redirect users to a different URL.
The threat actors in this campaign used the malicious "trixwe.page.link" link in the tracking template, while the final URL was listed as "webex.com". So users who clicked saw the latter, but were sent to the former.
What's more, the bad link appears to block visits that come from security researchers or crawlers. For users that the actors actually want to target, they are sent to a further site where more checks are conducted to make sure again they are not researchers using a sandbox environment.
Finally, users that they want to victimize will be sent to the site "webexadvertisingoffer[.]com" that deploys the malware, whereas those that are filtered out will be redirected to the legitimate Webex site.
On the fake page, there are download links ostensibly for Webex which, if clicked, will trigger the installation of BatLoader. This will then lead to the execution of the DanaBot malware, a banking trojan from 2018 that can steal passwords, take screenshots, load ransomware modules, hide bad C2 traffic and use HVNC to give remote access.
It is always best practice when downloading software to ignore promoted search results on Google and go direct to a trusted source, such as the vendor's own site. Google has since told BleepingComputer that it has, "taken appropriate action against the associated accounts" in this case.
