Threat Research

University site cloned to evade ad detection distributes fake Cisco installer

Malwarebytes
University site cloned to evade ad detection distributes fake Cisco installer

This article discusses the methods used by attackers in the online advertising sector, particularly through malvertising campaigns. It highlights a specific case involving a fake Google ad for Cisco AnyConnect that redirected users to a phishing site and ultimately distributed the NetSupport RAT Trojan. Attackers employed clever disguises, such as impersonating a legitimate university, while relying on newly registered domains to bypass detection systems. The piece concludes with recommendations for users to be cautious about sponsored ads when downloading software. Affected: online advertising, cybersecurity, IT sector, educational institutions

Keypoints :

  • Attackers create fake identities or steal real ones to propagate malicious ads.
  • Malvertisers use decoys, referred to as ‘white pages,’ to fool advertising platforms.
  • A specific case involving a fake ad for Cisco AnyConnect demonstrates the attack vector.
  • Attackers impersonated a legitimate German university to evade detection.
  • Victims were redirected to a phishing website instead of the malicious installer.
  • The malicious installer was digitally signed and named after a legitimate Cisco application.
  • Real victims were infected with the NetSupport RAT, granting remote access to attackers.
  • Threat actors’ reliance on AI-generated fake pages is increasing to overcome detection systems.
  • Best practices include being cautious about sponsored results when downloading programs.

MITRE Techniques :

  • TA0001: Initial Access – The attackers used social engineering through ad impersonation to lure victims.
  • TA0011: Command and Control – The NetSupport RAT established connections to the IP addresses 91.222.173[.]67 and 199.188.200[.]195 for remote control.
  • TA0043: Credential Access – By impersonating a legitimate service, attackers aimed to harvest credentials from unsuspecting users.
  • TA0007: Discovery – The attackers utilized server-side scripts to differentiate between legitimate users and bots.

Indicator of Compromise :

  • [URL] anyconnect-secure-client[.]com
  • [URL] cisco-secure-client[.]com
  • [URL] vissnatech[.]com
  • [IP Address] 91.222.173[.]67
  • [IP Address] 199.188.200[.]195

Full Story: https://www.malwarebytes.com/blog/cybercrime/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint