Threat Research

PSA: Ongoing Webex malvertising campaign drops BatLoader

Securonix

A malvertising campaign impersonating Cisco Webex targets corporate users searching for the software, delivering BatLoader to unsuspecting victims. BatLoader is a stealthy loader that evades detection, drops DanaBot as a secondary payload, and relies on a fingerprinting/redirection workflow to stay active; Google Ads tracking templates and sandbox checks are used to determine victim status. #BatLoader #DanaBot #Webex #GoogleAds #Firebase #monoo3at #webexadvertisingoffer

Keypoints

  • Threat actors run a malvertising campaign that impersonates a well-known brand to distribute malware.
  • The malicious ad appears in Google search results before the organic Webex results and uses brand impersonation to look legitimate.
  • Tracking templates and sandbox checks fingerprint visitors and determine whether to deliver a benign redirect or the actual malicious site.
  • Clicking the ad leads to a malicious site delivering BatLoader, a highly evasive loader designed to bypass many sandboxes and AV products.
  • BatLoader downloads a secondary payload (DanaBot) from its C2 server, then decrypts it on disk using OpenSSL, evading detection.
  • Malvertising is shown to provide initial access for credential harvesting, pentesting, or ransomware deployment, reinforcing the need for EDR/MDR defenses.
  • Indicators of compromise include a cloaking infrastructure domain, decoy sites, BatLoader hashes, and DanaBot hashes; Google has stated actions against malicious accounts.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malvertising drives BatLoader to victims via deceptive ads; “The malicious ad has been online for almost one week” and “threat actors are impersonating well-known brands to distribute malware.”
  • [T1036] Masquerading – The ad impersonates Cisco/Webex branding to look legitimate; “impersonating well-known brands to distribute malware.”
  • [T1497] Virtualization/Sandbox Evasion – The MSI contains anti-sandbox features and will only execute in certain environments; “anti-sandbox features and will only execute in certain environments.”
  • [T1027] Deobfuscate/Decode Files or Information – BatLoader downloads payload in encrypted format and decrypts on disk with OpenSSL; “downloaded from BatLoader’s command and control server in encrypted format” and “decrypted on disk using openssl.”
  • [T1105] Ingress Tool Transfer – The dropped payload is downloaded from BatLoader’s command and control server in encrypted format, enabling subsequent execution; “That dropped malware is DanaBot… decrypted on disk…”

Indicators of Compromise

  • [Domain] Cloaking infrastructure – monoo3at[.]com, and Decoy site – webexadvertisingoffer[.]com
  • [IP Address] 206.71.149[.]46, 91.199.147[.]226
  • [URL] BatLoader installer path – fugas[.]site/debug/Installer90.2.msi
  • [File Hash] BatLoader – 2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654, and 7a1245584c0a12186aa7228c75a319ca7f57e7b0db55c1bd9b8d7f9b397bfac8
  • [Domain] DanaBot C2 indicator – updatecorporatenetworks[.]ru

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader