One sentence summary – A malicious advertising campaign has been discovered, using Google Ads tracking templates to distribute a banking trojan through counterfeit Webex software search ads, with threat actors believed to be based in Mexico; users are advised to exercise caution when clicking on search ads and to download software only from trusted sources.
At a glance
- A malicious advertising campaign has been discovered, exploiting Google Ads tracking templates to distribute a banking trojan through counterfeit Webex software search ads.
- The threat actors behind this campaign are believed to be based in Mexico.
- The malvertising campaign has been active on Google Search for approximately one week.
- The ad impersonates the official Webex download portal and is ranked at the top of Google Search results for the term “webex”.
- The threat actors have exploited a loophole in the Google Ad platform’s tracking template to redirect users while still complying with Google’s policy.
The details
A malicious advertising campaign has been discovered, exploiting Google Ads tracking templates to distribute a banking trojan through counterfeit Webex software search ads.
The threat actors behind this campaign are believed to be based in Mexico.
This article will provide an in-depth look at the campaign, the methods used, and the potential risks it presents to users.
The threat actors have been using Google Ads tracking templates to create convincing Webex software search ads.
This malvertising campaign has been active on Google Search for approximately one week.
The malicious Google ad impersonates the official Webex download portal and is ranked at the top of Google Search results for the term “webex”.
The ad uses the authentic Webex logo and displays the legitimate URL, “webex.com,” as the click destination.
The threat actors have exploited a loophole in the Google Ad platform’s tracking template to redirect users while still complying with Google’s policy.
Google permits advertisers to use tracking templates with URL parameters to define a “final URL” construction process.
The display URL and final URL of an ad must belong to the same domain, but the tracking template can redirect users to a different website.
In this instance, the threat actors used a Firebase URL as their tracking template, with a final URL of “webex.com.”
If the ad is clicked, the visitor is redirected to a different URL that filters out visits from researchers and automated crawlers.
Potential victims or researchers will be redirected to a malware-dropping site.
Visitors who are not targets will be redirected to Cisco’s legitimate “webex.com” site.
Upon visiting the fake Webex page, visitors may receive an MSI installer that installs the BatLoader malware.
The BatLoader malware fetches, decrypts, and executes the DanaBot malware payload.
DanaBot is a modular banking trojan capable of stealing passwords, capturing screenshots, loading ransomware modules, masking malicious C2 traffic, and providing direct access to compromised hosts.
Infected users will have their credentials stolen and sent to the attackers.
It is recommended to download software directly from the developer or a trusted site, rather than clicking on promoted results on Google Search.
In addition to the Webex malvertising campaign, a separate campaign targeting Facebook Business accounts has emerged, using a variant of the NodeStealer malware.
This campaign primarily targets victims in Southern Europe and North America, specifically in the manufacturing services and technology sectors.
NodeStealer is a JavaScript-based malware that steals cookies and passwords from web browsers, compromising Facebook, Gmail, and Outlook accounts.
The Vietnamese threat actors behind the campaign have likely resumed their attack efforts, adopting tactics employed by other adversaries in the country.
Fraudulent messages are sent via Facebook Messenger, originating from fake or hijacked personal accounts, to deliver the NodeStealer malware.
The malware is delivered through ZIP or RAR archive files hosted on Facebook’s content delivery network.
These archives contain a batch script that opens the Chrome web browser and executes a PowerShell command to retrieve additional payloads, including the Python interpreter and the NodeStealer malware.
NodeStealer captures credentials and cookies from various web browsers and exfiltrates the information over Telegram.
The new variant of NodeStealer employs batch files to download and run Python scripts, enabling the theft of credentials and cookies from multiple browsers and websites.
Stolen Facebook cookies and credentials can be utilized by attackers to gain control of the account and perform fraudulent transactions using the legitimate business page.
These campaigns underscore the ongoing threats posed by malicious actors exploiting popular platforms and services.
Users are advised to exercise caution when clicking on search ads and to download software only from trusted sources.
Additionally, maintaining up-to-date security measures and being vigilant against suspicious messages is crucial to protect against credential theft and potential compromise.
The information provided in this brief is based on multiple sources and aims to present a comprehensive overview of the news story, while remaining unbiased and neutral.
Article X-ray
Here are all the sources used to create this article:
A pixelated computer screen with a distorted Google Ads logo and a red warning sign symbolizing a malicious advertising campaign.
This section links each of the article’s facts back to its original source.
If you have any suspicions that false information is present in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Threat actors are using Google Ads tracking templates to create convincing Webex software search ads. – |
| The malvertising campaign has been active in Google Search for a week. – |
| The threat actors behind the campaign appear to be from Mexico. – A malicious Google ad impersonates the official Webex download portal and ranks at the highest position in Google Search results for the “webex” term. – |
| The ad uses the real Webex logo and displays the legitimate URL, “webex.com,” as the click destination. – |
| The threat actors exploit a loophole in the Google Ad platform’s tracking template to redirect users while complying with Google’s policy. |
| – Google allows advertisers to use tracking templates with URL parameters to define a “final URL” construction process. – |
| The display URL and final URL of an ad must belong to the same domain, but the tracking template can redirect users to a different website. – |
| The threat actors used a Firebase URL as their tracking template, with a final URL of “webex.com.” – |
| If the ad is clicked, the visitor is redirected to a different URL that filters out visits from researchers and automated crawlers. – |
| If the visitor is a potential victim or researcher, they will be redirected to a malware-dropping site. – |
| If the visitor is not a target, they will be redirected to Cisco’s legitimate “webex.com” site. |
| – Visitors of the fake Webex page may receive an MSI installer that installs the BatLoader malware. – |
| The BatLoader malware fetches, decrypts, and executes the DanaBot malware payload. |
| – DanaBot is a modular banking trojan that can steal passwords, take screenshots, load ransomware modules, mask malicious C2 traffic, and provide direct access to compromised hosts. – Infected users will have their credentials stolen and sent to the attackers. |
| – It is recommended to download software directly from the developer or a trusted site rather than clicking on promoted results on Google Search. |
| thehackernews.com |
|---|
| – A campaign is targeting Facebook Business accounts with bogus messages to steal victims’ credentials. – |
| The campaign uses a variant of the Python-based NodeStealer malware. – |
| The attacks are mainly targeting victims in Southern Europe and North America, particularly in the manufacturing services and technology sectors. |
| – NodeStealer is a JavaScript malware that steals cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. – |
| A Python version of the malware was used in a separate attack wave in December 2022, with some iterations designed for cryptocurrency theft. – |
| The Vietnamese threat actors behind the campaign have likely resumed their attack efforts and adopted tactics used by other adversaries in the country. |
| – Fraudulent messages sent via Facebook Messenger from fake and hijacked personal accounts are being used to deliver the NodeStealer malware. – |
| The malware is delivered through ZIP or RAR archive files hosted on Facebook’s content delivery network. – |
| The archives contain a batch script that opens the Chrome web browser and runs a PowerShell command to retrieve additional payloads, including the Python interpreter and the NodeStealer malware. – |
| The NodeStealer malware captures credentials and cookies from various web browsers and exfiltrates the information over Telegram. |
| – The new variant of NodeStealer uses batch files to download and run Python scripts and steal credentials and cookies from multiple browsers and websites. – |
| The stolen Facebook cookies and credentials can be used by attackers to take over the account and make fraudulent transactions using the legitimate business page. |
English 
Portuguese 
Turkish 
Chinese 
German