Fake Cisco Webex Google Ads abuse tracking templates to push malware

Fake Cisco Webex Google Ads abuse tracking templates to push malware

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Subject : Fake Cisco Webex Google Ads abuse tracking templates to push malware
Date : 2023-08-27

 

Information

  Cisco Webex is a popular online meeting platform. which has various features Supports use both through computers and mobile apps. There are steps to use that are simple and time-saving.

Can be accessed in 3 channels

  1. Web browser such as Mozilla Firefox, IE, Chrome, etc.
  2. App (for installation) Cisco Webex Meetings Desktop App
  3. App Cisco Webex Meetings Mobile App on iphone ipad and Android

 Cisco Webex application

Incident

   Threat actors use Google Ads tracking templates as a loophole to create convincing Webex software search ads that redirect users to websites that distribute the BatLoader malware. Webex is a video conferencing and contact center suite that is part of Cisco's collaboration products portfolio and used by corporations and businesses worldwide.

   Malwarebytes reports that a malicious Google ad impersonates the official Webex download portal, ranking at the highest position in Google Search results for the "webex" term. What makes the advertisement look legitimate is that it uses the real Webex logo and displays the legitimate URL, "webex.com," as the click destination. These ad components make the advertisement appear legitimate and indistinguishable from a real advertisement from Cisco.

 Malicious ad

Specifically, Google says advertisers may use tracking templates with URL parameters that define a "final URL" construction process based on gathered user information regarding their device, location, and other metrics related to ad interactions. The policy mandates that the display URL of an ad and the final URL must belong to the same domain (e.g. "example.com" in "www.example.com"). Still, nothing is stopping the tracking template from redirecting users to a website outside the indicated domain.

  In this case, the threat actors used a Firebase URL ("trixwe[.]page[.]link") as their tracking template, with a final URL of https://www.webex.com. However, if the ad is clicked, the visitor is redirected to the "trixwe.page[.]link. If the visitor is one the threat actors wish to target, they will be redirected to a malware-dropping site at "webexadvertisingoffer[.]com” and the non-targeted ones will go to the correct website instead.

 The redirection chain

If visitors of the fake Webex page click on the download buttons, they receive an MSI installer that spawns several processes and runs PowerShell commands to install the BatLoader malware. This malware will ultimately fetch, decrypt, and execute an additional DanaBot malware payload. DanaBot is a modular banking trojan that has circulated in the wild since 2018, with the ability to steal passwords, snap screenshots, load ransomware modules and give direct access to compromised hosts via HVNC. Those infected with DanaBot will have their credentials stolen and sent to the attackers, who will either use them for further attacks or sell them to other threat actors.

 

The malware-dropping page

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

 

 CVSS
Severity Rating

Detail

Solution

Ref

 

1

 

CVE-2023-25533

 

19/09/2023

 

22/09/2023

 

NVIDIA DGX H100 BMC

 

Input validation

 

8.3

  NVIDIA DGX H100 BMC contains a vulnerability in the web UI, where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to information disclosure, code execution, and escalation of privileges  

update version

  

NVD - CVE-2023-25533 (nist.gov)

2

 

CVE-2023-41030

 

18/09/2023

 

21/09/2023

 

Juplink RX4-1500

 

Hard-coded password

  

9.8

  Hard-coded credentials in Juplink RX4-1500 versions V1.0.2 through V1.0.5 allow unauthenticated attackers to log in to the web interface or telnet service as the 'user' user.

 

 update version

  

https://nvd.nist.gov/vuln/detail/CVE-2023-41030

 

3

 

CVE-2023-4427

 

22/08/2023

 

20/09/2023

 

Google Chrome

  

Out-of-bounds

  

8.1

  Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page  

update version to 116.0.5845.110

  

https://nvd.nist.gov/vuln/detail/CVE-2023-4427

 

4

  

CVE-2023-3280

  

13/09/2023

  

19/09/2023

  

Palo Alto Networks Cortex XDR

  

Exceptional condition

  

5.5

  A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to disable the agent  

update version

  

https://nvd.nist.gov/vuln/detail/CVE-2023-3280

5

 CVE-2023-38204

14/09/2023

18/09/2023

Adobe ColdFusion

Deserialization

9.8

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

update version

https://nvd.nist.gov/vuln/detail/CVE-2023-38204

Solution

1.To find the original software Searches that include Google Ads should be skipped.

2.Download programs directly from famous websites. and only reliable


The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

–https://www.bleepingcomputer.com/news/security/fake-cisco-webex-google-ads-abuse-tracking-templates-to-push-malware/

–https://support.google.com/google-ads/answer/7197008?hl=en

–https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader

05 October 2023

Viewed 1348 time

Engine by shopup.com