Hackers Using Weaponized Cisco Webex Meetings App To Deliver Malware
A recent knowledge-stealing marketing campaign detailing the attackers’ ways, ways, and procedures (TTPs) for the length of the attack lifecycle, the build the Mitre ATT&CK framework is veteran to categorise these TTPs and name capability detection facets.
By examining the selling campaign’s behavior and conversation with the show and retain watch over server (C2), researchers repeat the step-by-step development from preliminary collect admission to to credential theft.
Adversaries employed social engineering to trick customers into downloading password-stable archives (ZIP) disguised as authentic diagram.
The archive filenames contained the password (!$Full_pAssW0rd_4434_$etup.zip) and embedded a RAR archive and textual explain files.
A VirusTotal search printed spherical 400 an identical filenames submitted since 2024, indicating a broader marketing campaign, which means that the attackers are focusing on customers by leveraging common search phrases for pirated diagram and incorporating patterns esteem “!@Full_FiIe_lnSide@!” or “!@passcode_” within filenames.
An attacker tricked an individual into operating a malicious file disguised as a sound Cisco Webex installer (Setup.exe) by exploiting a DLL facet-loading vulnerability within the staunch ptService.exe module to launch a hidden loader program.
After that, the loader build itself right into a favorable, trusted route of (extra.com) to cowl what it turn into as soon as doing unparalleled extra, which is a multi-stage attack that mixes social engineering (T1204), DLL facet-loading (T1574.002), and route of injection (T1055).
HijackLoader, a malware loader, fetches and executes an AutoIT script (GraphicsFillRect.au3) that steals credentials and establishes a chronic connection to a C2 server, animated two MITRE ATT&CK ways.
T1105 (Ingress Tool Switch) for downloading the script and T1071.001 (Utility Layer Protocol: Internet Protocols) for affirming conversation with the C2 server, identified as belonging to the Vidar botnet in step with its IP handle.
A malicious AutoIT script (GraphicsFillRect.au3) turn into as soon as detected setting up a connection to a C2 server (78.47.78.87) while learning login knowledge from Chrome and Firefox browsers and Zoom, suggesting knowledge exfiltration.
Per Trellix, the script also downloaded additional executables (GCGHJEBGHJ.exe and AFIEGIECGC.exe) into the ProgramData folder, indicating capability additional malicious job.
The malware exploited a COM Elevation Moniker vulnerability to avoid User Yarn Keep watch over and set administrator privileges, after which disabled House windows Defender by adding itself to the exclusion checklist.
Subsequent, the malware injected itself into MSBuild.exe, which connected to a suspicious IP handle and downloaded a cryptominer.
Indirectly, the malware launched a PowerShell script that accomplished a series of obfuscated commands, indirectly facet-loading a malicious DLL by a sound VMware route of.
Source credit : cybersecuritynews.com