Threat actors are employing a devious strategy by using Google Ads tracking templates to disseminate convincing Cisco Webex software search ads that redirect unsuspecting users to websites hosting the BatLoader malware.
Furthermore, this malicious campaign has been active in Google Search for approximately a week, with the threat actors suspected to be based in Mexico. To appear legitimate, the malicious ads closely mimic the official Webex download portal, utilizing authentic logos and displaying the legitimate “webex.com” URL as the click destination. The attackers exploit a Google Ads platform loophole in tracking templates, enabling them to redirect users while seemingly complying with Google’s policies.
Specifically, the threat actors employ a Firebase URL as their tracking template, redirecting users to “trixwe.page[.]link.” Here, they filter out visits that appear to originate from researchers and automated crawlers.
If a user is deemed a target, they are redirected to “monoo3at[.]com,” where further checks are conducted to identify potential victims or researchers using a sandbox environment. Those targeted are then redirected to a malware-dropping site at “webexadvertisingoffer[.]com,” while others are redirected to Cisco’s legitimate “webex.com” site.
Victims who click on download buttons on the fake Webex page inadvertently download an MSI installer that initiates various processes and runs PowerShell commands to install the BatLoader malware. This malware is capable of fetching, decrypting, and executing the DanaBot malware payload.
DanaBot, a modular banking trojan active since 2018, has multifaceted capabilities, including stealing passwords, capturing screenshots, loading ransomware modules, masking malicious C2 traffic, and providing direct access to compromised hosts through HVNC.
Those infected risk having their credentials stolen and potentially used for further attacks or sold to other threat actors. To stay safe, users are advised to bypass promoted results on Google Search and download software exclusively from trusted sources, such as the official software developer’s website.