Threat Overview

 sophisticated cybercrime operation involving malicious advertising (malvertising) has been discovered by Malwarebytes and CyberHunter_NL. The threat actors are exploiting users searching for ‘cisco anyconnect’ by displaying a convincing Google ad with a deceptive URL, mimicking a legitimate Cisco domain.

Attack Vector

– Malicious Ad: The attack begins with a malicious Google ad that appears when users search for ‘cisco anyconnect’.

– Decoy Website: Attackers used content from the website of Technische Universität Dresden (TU Dresden) to create a convincing decoy site.

– Server-Side Checks: Upon clicking the ad, server-side checks determine if the user is a potential victim based on their IP address and network settings.

– Malware Payload: Real victims are redirected to a phishing site for Cisco AnyConnect, where they download a malicious installer (client32.exe) associated with the NetSupport RAT.

Indicators of Compromise

– Malvertising Infrastructure: anyconnect-secure-client[.]com, cisco-secure-client[.]com[.]vissnatech[.]com

– NetSupport RAT Download: berrynaturecare[.]com/wp-admin/images/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe (MD5 Hash: 78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d)

– NetSupport RAT Command and Control (C2) Servers: monagpt[.]com, mtsalesfunnel[.]com

– IP Addresses: 91.222.173[.]67/fakeurl.htm and 199.188.200[.]195/fakeurl.htm

Recommendations

– Be cautious when downloading programs, especially from sponsored search results.

– Keep systems and software up-to-date with the latest security patches.

– Use reliable antivirus solutions and maintain robust security protocols.

Source(s)

– https://www.malwarebytes.com/blog/news/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installer

– https://otx.alienvault.com/pulse/67a49294eccc5f37231d107a