Businesses are being targeted in a malvertising campaign that uses Google Ads that impersonate the Webex download portal and trick them into downloading an installer for the video conferencing platform that delivers BatLoader malware.
BatLoader is a type of malware used for gaining initial access to networks and it is often delivered via malvertising campaigns bundled inside Microsoft Software Installation (MSI) packages. The sites used to distribute the malware often use search engine poisoning (SEO) techniques to get web pages to appear high up in the search engine listings for search terms likely to be used by employees. Threat groups previously known to use BatLoader for initial access have used it to download malware variants such as QakBot, RacoonStealer, Bumbleloader, Cobalt Strike, and the Arkey information stealer. Infection with BatLoader can easily lead to data theft and ransomware attacks.
BatLoader is evasive, and the threat actors behind BatLoader campaigns use living-of-the-land techniques once initial access has been gained which can make detection of malicious activity difficult in the early stages of the infection chain.
One of the latest campaigns is a departure from the standard method of delivery as Google Ads are being used rather than SEO poisoning and the campaign stands out from other malvertising campaigns as the malicious adverts are indistinguishable from the genuine advertisements for Webex software.
The easiest red flag to identify in malvertising campaigns is the website offering the software download is not the official site used by the company being impersonated. This campaign, however, displays the correct Webex logo and the legitimate Webex.com URL in the Google Ad, and the adverts appear in position 1 at the top of the page. If the URL is clicked, however, the user will be redirected to a malicious website.
Checks are performed when the ad is clicked in an attempt to filter out automated crawlers and researchers using sandboxes. If the user is rejected, they will be directed to the official Webex site. If the checks are passed, they will be directed to the webexadvertisingoffer[.]com site where they will be offered a fake Webex MSI installer. In this campaign, BatLoader will be delivered along with the DanaBot banking Trojan. DanaBot is capable of stealing passwords, taking screenshots, providing direct access to compromised hosts, and is often used to download ransomware.
The threat actors are able to create legitimate-looking Webex ads by exploiting a loophole in the Google Ads platform using tracking templates. Rather than use a specific URL in the ad for all clicks, tracking templates allow the advertiser to specify the URL for the redirect based on user parameters, such as the device type, location, and other information.
While Google’s policy is that the display URL and the final URL must be on the same domain, the tracking template may redirect users to a different website. In this case, a Firebase URL is used for the tracking template which has a final URL of webex.com, but clicking the ad directs the user to a different URL at monoo3at[.]com where filtering takes place and users are either directed to the malicious download page or the official Webex site, depending on the fingerprinting that occurs at monoo3at[.]com.
A web filter offers protection against malvertising by blocking access to known malicious websites such as the domain used in this campaign, restricting web activity to administrator-defined websites through category filtering, and blocking downloads of executable files. Administrators often block downloads of MSI files to protect against malware and to curb the installation of unauthorized software (shadow IT).
Security awareness training should also teach employees not to download files from unofficial websites. While the advert in this case is indistinguishable from the genuine site, the site offering the malicious installation package is not the official vendor site and the download can therefore be avoided.
TitanHQ can help businesses defend against malvertising through a combination of the WebTitan web filter and the SafeTitan security awareness training platform. Both solutions are available in a free trial, and product demonstrations can be arranged by calling the sales team.
Now that Microsoft has improved protection against malicious macros by blocking them in Internet-delivered files by default, cybercriminals have had to explore other methods of distributing links to malicious websites hosting malware. There has been an increase in the use of malvertising to target web users and trick them into downloading malicious files, and SMS and instant messaging services are increasingly being used for distributing malware, which bypasses Microsoft’s macro protections and email security defenses.
One such campaign that is proving extremely effective is being conducted via Facebook Messenger and was recently detected by researchers at Guardio Labs. The campaign targets business users and tricks employees into downloading a compressed archive (RAR/ZIP), which contains a batch file that delivers a GitHub-hosted malware dropper. The dropper delivers Python-based malware and creates a standalone Python environment for the malware to operate. The binary of the malware is set to execute during system startup and has multiple layers of obfuscation making it difficult for anti-virus solutions to detect once installed.
The malware is an information stealer capable of obtaining cookies and passwords stored in the browser, which are collected, compressed into a zip archive, and then sent to the attacker via Telegram or Discord bot API. Once cookies and browser data have been stolen, the malware wipes cookies, logging the user out of their account. Once logged out, the stolen credentials can be used to log in to the accounts, and passwords are changed to prevent the account user from accessing them, giving the attacker time to misuse the accounts.
The campaign has proven to be highly effective. Around 100,000 phishing messages are being sent each week and the researchers believe that around 7% of business Facebook accounts have been targeted, with 0.4% of business accounts downloading the malicious file. The number of users that have executed the batch file is unknown, but the researchers suggest that around 1 in every 250 accounts have been infected.
One of the ways that businesses can protect against this attack is by using the WebTitan web filter. Facebook Messenger poses a security risk to businesses and can be a major drain on productivity, which is why many businesses block Facebook Messenger at work. WebTitan can be configured to Block Facebook and Messenger, or permit access to the Facebook site but block access to Facebook Messenger. Controls can be applied organization-wide, for user groups, or specific users.
India is experiencing a surge in cyberattacks. Data from CheckPoint Research show there has been an 18% increase in weekly cyberattacks in Q1, 2023, compared to a 7% rise globally, and the Asia-Pacific region has seen the highest year-over-year increase in cyberattacks globally, with attacks up 16% this year. Cybercriminals commonly exploit software vulnerabilities to gain initial access to business networks, but the majority of attacks target employees with phishing one of the leading initial access vectors.
Indian businesses need to implement advanced defenses to combat increasingly sophisticated cyberattacks targeting their employees and there is considerable demand for AI-driven email security and web security solutions that are capable of detecting and blocking known and zero-day threats. Many Indian businesses turn to their managed service providers to protect them against phishing, malware, and other cyber threats, and MSPs need to ensure they have solutions that can protect them.
Tata Tele Business Services (TTBS) is the leading provider of business connectivity and communications solutions in India and has the largest portfolio of ICT services in the country. TTBS provides a range of cybersecurity solutions to Indian SMBs, with phishing protection offered through its Tata Tele Email Security Plus Program and web security provided through the Tata Tele Smart Internet Program. Through these two programs, TTBS is able to deliver advanced threat protection against the main initial access vectors.
Those cybersecurity programs have now been bolstered through a new partnership with TitanHQ that has seen SpamTitan Email Security and WebTitan DNS Filtering added to its cybersecurity packages. These two 100% cloud-based cybersecurity solutions have been developed to meet the needs of MSPs of all sizes and allow them to easily incorporate AI-driven phishing and malware protection into their service stacks. SpamTitan Email Security is a multi-award-winning email security solution that delivers cutting-edge protection against spam, phishing, business email compromise, and email-based malware attacks. The solution is easy to implement and use and requires minimal IT support, making it an ideal choice for MSPs who want to improve email security for their clients without having to commit substantial resources to management.
Web Titan is a DNS-based web filtering solution that can be used to carefully control the websites that employees can access. The solution is fed threat intelligence from a network of 650 million endpoints and ensures that malicious web content is blocked and malware downloads are prevented. “We are delighted to partner TitanHQ to offer Tata Tele Email Security- an advanced email security solution that is in line with Zero Trust security agenda of enterprises,” said Vishal Rally, Sr. VP & Head – Product, Marketing and Commercial, Tata Teleservices Ltd. “As a leading technology enabler TTBS is committed to simplifying and democratizing email security for businesses of any size. This partnership will ensure the protection of enterprise sensitive data efficiently and cost effectively”.
If you are an MSP looking to add cybersecurity solutions to your service stack, or if you want to improve the protection you provide to your clients with affordable cybersecurity solutions, give the TitanHQ team a call to find out more about the TitanHQ Partner Program. Through the TitanHQ Partner Program, you can add email security, web security, email encryption, email archiving, and security awareness training and phishing simulations to your service stack and deliver protection to your clients with ease.