BatLoader targets WebEx Users with malicious AD campaigns
Share this:
Researchers have spotted a malvertising campaign targeting corporate users who are downloading the widely used web conferencing application, Webex.
The malicious threat actors have purchased an advertisement that mimics Cisco’s branding, and it appears as the top result when conducting a Google search.
The ad appears completely legitimate at first glance, featuring both the Webex logo and the official website. However, if you click on the menu to the right of the ad, you’ll find additional details that reveal the advertiser to be an individual from Mexico, which is highly unlikely to be associated with Cisco.
The threat actors take advantage of a weakness in Google Ads known as the tracking template, a place where URL tracking information is placed, offering advertisers valuable metrics. Nevertheless, researchers find that it can also be exploited as a filtering and redirection mechanism.
The MSI installer is equipped with anti-sandbox features and will only run in specific environments. The downloaded file exceeds the size limit for many sandboxes and is designed to bypass detection from antivirus products. It initiates multiple processes, including PowerShell, and installs BatLoader from a local source. BatLoader, in turn, drops DanaBot.
It should be noted that Webex itself has not been compromised; instead, threat actors are impersonating reputable brands to deploy malware.
Malvertising continues to target corporate users, in particular, by taking advantage of search engines such as Google that are commonly used to search for and download software. Because the ads look so legitimate, there is little doubt people will click on them and visit unsafe sites.
Loaders such as BatLoader are stealthy and may not be detected by traditional antivirus. A more complete solution such as EDR coupled with an MDR service where human analysts review suspicious activities performed by the malware is a necessity
Indicators of Compromise
Cloaking infrastructure
monoo3at[.]com
206.71.149[.]46
Decoy site
webexadvertisingoffer[.]com
31.31.196[.]208
BatLoader
fugas[.]site/debug/Installer90.2.msi
2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654
BatLoader C2
updatecorporatenetworks[.]ru
91.199.147[.]226
DanaBot
7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
