Malicious Cisco AnyConnect Ads Target Users with NetSupport RAT

A new malvertising campaign is distributing a fake Cisco AnyConnect installer that delivers the NetSupport RAT Trojan.

Malwarebytes researchers have discovered a malvertising campaign that uses Google ads to distribute a fake Cisco AnyConnect installer. The installer, which is digitally signed with a valid certificate, delivers the NetSupport RAT remote access Trojan, allowing attackers to take control of victims’ computers.

“The particular case is a malicious Google ad for Cisco AnyConnect, a tool often used by employees to remotely connect to company networks, but also by universities,” the report states.

The attackers are using a clever technique to evade detection by security systems. They have cloned the website of a German university that uses Cisco AnyConnect and are using it as a “white page” to fool ad detection systems.

“If it’s obviously so fake and bad, it will raise suspicion. We thought that in this case the perpetrator had a rather clever idea by stealing content from a university that actually does use Cisco AnyConnect.”

Real victims are redirected to a fake Cisco AnyConnect download page that looks very similar to the legitimate site. The download link on this page leads to a malicious installer that is hosted on a compromised WordPress site.

Once the installer is executed, it extracts and runs a malicious executable named client32.exe, which is a variant of the NetSupport RAT. This Trojan allows attackers to remotely control the victim’s computer, steal data, and install additional malware.

The attackers are using two IP addresses to control the NetSupport RAT: 91.222.173[.]67 and 199.188.200[.]195.

This campaign is a reminder that even trusted sources like Google ads can be used to distribute malware. Users should be cautious when clicking on ads, even if they appear to be legitimate. It is also important to keep software up to date and to use a reputable security solution to protect against malware.

Related Posts:

• SAML Authentication System Vulnerability Affects Cisco Firepower, AnyConnect, and ASA Products
• Nitrogen Malware: BlackCat’s New Weapon in Disguised Advertising Attacks
• Hackers are trying to install NetSupport Remote Access Tool on victim machine through Fake Software Update
• Cisco Talos Warns of Stealthy NetSupport RAT Campaigns
• NetSupport RAT Wielded in Escalating Cyber Attacks: Educational Institutions, Government Agencies, and Service Businesses at Risk