In a recent malvertising campaign, threat actors exploited a Google Ads tracking template loophole to distribute BatLoader malware through deceptive Webex software search ads. These ads closely mimicked the official Webex download portal, even ranking as the top search result for “webex,” making them challenging to distinguish from genuine Cisco ads.Acronis Cyber Protect uses URL Filtering to block access to malicious sites and blocks any malicious payload downloaded with its included AI-based and behavioral detection engine.
Fake Cisco Webex Google Ads Abuse Tracking Templates to Push Malware
In a recent malvertising campaign, threat actors have exploited a Google Ads tracking template loophole to distribute the BatLoader malware through deceptive Webex software search ads. These ads, impersonating the official Webex download portal, even rank as the top search result for the “webex” query, utilizing the real Webex logo and “webex.com” URL, making them difficult to distinguish from genuine Cisco advertisements.
The attackers employed a Firebase URL tracking template to redirect users while complying with Google’s policies, filtering out researchers and automated crawlers. Clicking the ad redirects potential victims to “monoo3at[.]com,” while others land on Cisco’s legitimate “webex.com” site.
Visitors who download the fake Webex software receive an MSI installer that initiates multiple processes and runs PowerShell commands, installing the BatLoader malware. This malware retrieves, decrypts, and executes DanaBot, a modular banking trojan with a history of stealing passwords, capturing screenshots, deploying ransomware modules, and more. User credentials pilfered by DanaBot can be used for further attacks or sold to other threat actors. As a response, Google has taken action against the associated accounts behind the malicious ads to protect users.
Visitors who download the fake Webex software receive an MSI installer that initiates multiple processes and runs PowerShell commands, installing the BatLoader malware. This malware retrieves, decrypts, and executes DanaBot, a modular banking trojan with a history of stealing passwords, capturing screenshots, deploying ransomware modules, and more. User credentials pilfered by DanaBot can be used for further attacks or sold to other threat actors. As a response, Google has taken action against the associated accounts behind the malicious ads to protect users.
Acronis Cyber Protect uses URL Filtering to block access to malicious sites and blocks any malicious payload downloaded with its included AI-based and behavioral detection engine.
