Threat Overview
sophisticated cybercrime operation involving malicious advertising (malvertising) has been discovered by Malwarebytes and CyberHunter_NL. The threat actors are exploiting users searching for ‘cisco anyconnect’ by displaying a convincing Google ad with a deceptive URL, mimicking a legitimate Cisco domain.
Attack Vector
– Malicious Ad: The attack begins with a malicious Google ad that appears when users search for ‘cisco anyconnect’.
– Decoy Website: Attackers used content from the website of Technische Universität Dresden (TU Dresden) to create a convincing decoy site.
– Server-Side Checks: Upon clicking the ad, server-side checks determine if the user is a potential victim based on their IP address and network settings.
– Malware Payload: Real victims are redirected to a phishing site for Cisco AnyConnect, where they download a malicious installer (client32.exe) associated with the NetSupport RAT.
Indicators of Compromise
– Malvertising Infrastructure: anyconnect-secure-client[.]com, cisco-secure-client[.]com[.]vissnatech[.]com
– NetSupport RAT Download: berrynaturecare[.]com/wp-admin/images/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe (MD5 Hash: 78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d)
– NetSupport RAT Command and Control (C2) Servers: monagpt[.]com, mtsalesfunnel[.]com
– IP Addresses: 91.222.173[.]67/fakeurl.htm and 199.188.200[.]195/fakeurl.htm
Recommendations
– Be cautious when downloading programs, especially from sponsored search results.
– Keep systems and software up-to-date with the latest security patches.
– Use reliable antivirus solutions and maintain robust security protocols.
Source(s)
Discover more from ESSGroup
Subscribe to get the latest posts sent to your email.
