Image: Blake Connally (unsplash)
Google Ads tracking templates have been manipulated by malicious actors to craft deceptive Webex software search ads. These ads lead unsuspecting users to sites that deploy the BatLoader malware.
Webex stands as a renowned video conferencing and contact center suite within Cisco’s extensive collaboration product line. Many global corporations and businesses frequently employ this suite.
According to Malwarebytes, this misleading advertising campaign on Google Search was active for a week. The sources behind this malicious activity are believed to hail from Mexico.
Underhanded Google Ad Campaign These nefarious actors identified and exploited a flaw within the Google Ad platform’s tracking template. This flaw allowed them to redirect users in a manner consistent with Google’s guidelines.
Google’s policy states that advertisers can incorporate tracking templates with URL parameters, determining the “final URL” based on user details. This includes their device type, location, and various metrics tied to ad engagement.
Although the policy demands a match between the display URL of an ad and the final URL, it doesn’t prevent the tracking template from redirecting users to a different domain.
In this instance, the deceptive actors used a Firebase URL (“trixwe.page.link”) as their tracking template, with the designated final URL being https://www.webex.com.
When users click the ad, they are directed to the “trixwe.page[.]link.” This site is set to filter out visits perceived to be from research entities or automated web crawlers. Malwarebytes highlighted that this deceptive Google ad, mimicking the official Webex download page, secures the top spot in Google Search for the term “webex.”
The deceptive nature of this ad is amplified by its use of the genuine Webex logo and the display of the legitimate “webex.com” URL as the destination upon clicking. Such factors make it hard to differentiate between this misleading advertisement and an official one from Cisco.
For selected targets, redirection occurs to “monoo3at[.]com” where further evaluations determine whether the user is a potential victim or perhaps a researcher in a protective sandbox.
Depending on the threat actor’s assessment, the target might be led to a malicious site named “webexadvertisingoffer[.]com.” All other users are guided to Cisco’s authentic “webex.com” domain.
Deceptive Webex Installer Visitors lured to the counterfeit Webex page who proceed to click on download links are met with an MSI installer. This installer initiates various processes and leverages PowerShell commands, culminating in the installation of the BatLoader malware.
Subsequently, this malware sets in motion further processes to retrieve, decode, and deploy an additional DanaBot malware strain.
DanaBot, a multi-faceted banking trojan recognized since 2018, boasts capabilities like password theft, capturing screenshots, enabling ransomware modules, obscuring malicious C2 traffic, and providing unrestricted access to compromised systems via HVNC.
Individuals unfortunate enough to be compromised by DanaBot will find their personal credentials extracted and dispatched to the attackers. These can then be utilized for subsequent malicious endeavors or traded among other malicious entities.
To remain secure, it’s advised for individuals to bypass promoted results on Google Search, opting instead to download directly from the software’s primary developer or from reputable, established sources.