Suspected Mexico-based threat actors have been deploying the BatLoader malware through an ongoing malvertising campaign leveraging a fake Cisco Webex ad appearing on top of Google search results, according to BleepingComputer.
Clicking the malicious ad, which was developed by exploiting a Google Ad platform tracking template loophole that ensured at-will redirection and Google policy adherence, would redirect targets to the "webexadvertisingoffer[.]com" website, a Malwarebytes report revealed.
Researchers added that clicking the download buttons from the site prompts PowerShell command execution and BatLoader malware installation, with the malware then triggering retrieval and execution of the DanaBot banking trojan.
Aside from facilitating password theft and screenshot captures, DanaBot also conceals malicious command-and-control server traffic, provides direct access to impacted hosts, and enables further ransomware module loading, said the report. Google has already been notified regarding the malvertising campaign and noted its commitment to combat malicious ads.
"We've reviewed the ads in question and have taken appropriate action against the associated accounts," said a Google spokesperson.