![\"\"](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2025\/01\/domain.png\")
<\/a><\/figure>\nUpon clicking on the ad, server-side checks will determine whether this is a potential victim or not. Typically, a real victim has a residential IP address and other network settings that differentiate it from crawlers, bots, VPNs or proxies.<\/p>\n
In recent times, we have seen criminals rely on AI to generate fake pages<\/a> that look innocuous. These are also referred to as “white pages” and they do serve an important purpose. If it’s obviously so fake and bad, it will raise suspicion. We thought that in this case the perpetrator had a rather clever idea by stealing content from a university that actually does use Cisco AnyConnect.<\/p>\n Technische Universit\u00e4t Dresden (TU Dresden), is a public research university in Germany whose site can be found here<\/a>. Funnily enough, the threat actors left a trail while doing their copy\/paste. We can see that they added the cookie opt-in notification which is required for websites in Europe, which here leaked their browser language (Russian).<\/p>\n As good as this template looks, real victims will never see it. Instead, upon connecting to the malicious server they will be immediately redirected to a phishing site for Cisco AnyConnect.<\/p>\n The payload is downloaded in a similar way to a campaign we had already observed before, using a PHP script that provides the direct download URL. We can see from the network traffic capture below that the file is hosted on a likely compromised WordPress site.<\/p>\n There is not much to be said about the fake installer other than it being digitally signed with a valid certificate. Upon execution it extracts client32.exe<\/em>, a name notorious for being associated with NetSupport RAT.<\/p>\n The remote access Trojan connects to the following two IP addresses: 91.222.173[.]67 and 199.188.200[.]195, further granting a remote attacker access to the victim’s machine.<\/p>\n Brand impersonation is a common theme with search ads. As Google enforces various policies and uses algorithms to detect malicious activity, threat actors need to constantly come up with new ideas.<\/p>\n Reusing a university page was a clever idea, but there were a couple of things that made this attack shy of being perfect. The domain name, while very strong for impersonation, was newly registered. Since it was part of the ad’s display URL, it could have potentially been detected by Google. We also noted that the perpetrators left a trail when they copy\/pasted the code from the university website, which identified their likely country of origin.<\/p>\n Having said that, the malware payload was digitally signed and had few detections when first seen, so this attack may have had a decent success rate.<\/p>\n As always, we recommend that users take precautions whenever looking up programs to download, and to be especially wary of sponsored results.<\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n Malvertising infrastructure<\/p>\n NetSupport RAT download<\/p>\n NetSupport RAT C2s<\/p>\n<\/a><\/figure>\n<\/a><\/figure>\nReal victims get infected with malware<\/h2>\n
<\/a><\/figure>\n<\/a><\/figure>\ncisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe
-> client32.exe
-> \"icacls\" \"C:ProgramDataCiscoMedia\" \/grant *S-1-1-0:(F) \/grant Users:(F) \/grant Everyone:(F) \/T \/C<\/pre>\nConclusion<\/h2>\n
\nIndicators of Compromise<\/h2>\n
anyconnect-secure-client[.]com
cisco-secure-client[.]com[.]vissnatech[.]com<\/pre>\nberrynaturecare[.]com\/wp-admin\/images\/cisco-secure-client-win-5[.]0[.]05040-core-vpn-predeploy-k9[.]exe
78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d<\/pre>\nmonagpt[.]com
mtsalesfunnel[.]com
91.222.173[.]67\/fakeurl.htm
199.188.200[.]195\/fakeurl.htm<\/pre>\n