September 13, 2023 By Jérôme Segura
A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search.
We are releasing this blog to warn users about this threat as the malicious ad has been online for almost one week. The malware being used in this campaign is BatLoader, a type of loader that is very good at evading detection.
Note that Webex has not been compromised, this is a malicious campaign where threat actors are impersonating well-known brands to distribute malware.
Ad campaign details
For the past several days, we saw the same malicious ad whenever we searched for Webex. The advert is shown to users before the organic result and yet looks even more genuine as it is displaying the brand's logo:
In fact, the ad looks entirely legitimate as it not only uses the Webex logo but also shows the official website. Yet, clicking on the menu to the right of the ad shows more details and reveals the advertiser as an individual from Mexico, quite unlikely to be related to Cisco: