A new malvertising campaign that spreads the BatLoader malware targets corporate users who search and use the web conferencing app WebEx. The campaign portrays itself as a legitimate ad since the attackers have purchased an advertisement that impersonates the branding of Cisco, the company behind WebEx.
This fake ad has commonly appeared as the top result in Google searches related to WebEx. Hence, the operation could easily deceive unsuspecting users who trust the search engine’s results.
The BatLoader malware exploits the WebEx logo to deceive users.
The ad that the BatLoader malware operators display is the WebEx logo. This logo could deceive users and redirect them to a seemingly official WebEx website. The actors utilised techniques to bait users who trust familiar logos and branding and need to analyse the website they will access.
Next, the attackers exploit a flaw in Google Ads called tracking template, where they could store URL tracking information to provide advertisers with valuable metrics. However, this tracking template is susceptible to manipulation through filtering and redirection mechanisms, leading users to malicious domains.
Once these lures are successful, the attackers will deploy a malicious MSI installer on the deceptive ad. This installer has anti-sandbox features that ensure that it only runs in specific environments.
It will initiate a sequence of processes using PowerShell and install BatLoader from a local source. This process will further infect the user since the BatLoader is a gateway to the delivery of another malware strain called DanaBot.
On the other hand, the WebEx platform has not suffered from any compromise about the new campaign. Instead, the threat actors mimic impersonating reputable brands to execute their nefarious plans.
Malvertising remains a persistent and evolving threat to corporate users since they use the apps that the threat actors commonly impersonate. These threats often exploit popular search engines like Google to trap unsuspecting victims.
A comprehensive security strategy is essential to defend against these cunning adversaries. These strategies include pairing Endpoint Detection and Response (EDR) solutions with Managed Detection and Response (MDR) services plus human analysts who can closely monitor suspicious activities and respond to emerging threats.
