Newsletter
Google ads have been a popular choice for threat actors to promote their malware and lure unsuspecting victims. Now, according to a new report from Malwarebytes, hackers created deceptive Google ads for Webex software, tricking users into downloading the BatLoader malware.
Originating from Mexico, this campaign not only secured the top spot in Google’s search results for “Webex” but also managed to use the official Webex logo and the genuine URL, “webex.com,” as the designated click destination.
Although Google does have measures to ensure the URL displayed in an ad matches the final destination URL upon clicking, the report reveals that threat actors exploited a vulnerability, enabling them to redirect users elsewhere.
How does the campaign work?
Instead of webex.com, threat actors redirected victims to the “trixwe.page.link”. Additionally, to make matters worse, hackers developed a filter to screen out visits from researchers and automated web crawlers, effectively masking the entire campaign. However, for users who bypassed these filters, the final destination led them to a malware-infected website hosted at “webexadvertisingoffer[.]com.”
Upon reaching the counterfeit Webex installer page, users who clicked the download button unknowingly installed the BatLoader payload. Once executed, this payload installed the DanaBot malware, which has been in circulation since 2018 and is capable of searching the victim’s computer for passwords, capturing screenshots, loading ransomware modules, concealing malicious traffic, and providing remote access through HVNC (Hidden VNC).
Google’s response
In response to the report, a Google spokesperson stated, “Protecting users is our top priority. We don’t allow advertisers on our platform to spread malicious software. We’ve reviewed the ads in question and have taken appropriate action against the associated accounts.“
However, this incident once again highlights the need for users to remain vigilant and take precautionary measures. These include avoiding promoted results on Google when searching for software and using antivirus.