A fake Google ad for Cisco Webex is almost indistinguishable from the authentic advertisement from Cisco. The fake ad uses the real Webex logo and displays a legitimate URL (webex.com) as its click destination.
If a visitor goes to the fake Webex page and clicks on the “download” button, they will receive an MSI installer. It spawns several processes and runs PowerShell commands to install the BatLoader malware. The loader malware will ultimately retrieve, decrypt and execute an additional DanaBot malware payload that can steal passwords and do other damage.
Impact
This threat is of medium severity. However, it currently ranks in the highest position in Google Search results for the search term “webex.”
DXC perspective
Users should be instructed to download business-approved software only. Even then, they should download software only from company-approved repositories. In addition, DXC recommends that security teams monitor alerts for malware execution and deployment attempts.