A recent information theft campaign has been identified, showcasing the detailed tactics, techniques, and procedures (TTPs) used by attackers at various stages of the attack process. The Miter ATT&CK framework was utilized to categorize these TTPs and pinpoint potential areas for detection. Research into the campaign revealed how attackers employed social engineering tactics to deceive users into downloading password-protected (ZIP) files disguised as legitimate software. The file names included passwords and contained RAR archives and text files.
By conducting a Virustotal search, around 400 similar file names submitted since 2024 were discovered, indicating a widespread campaign targeting users with pirated software using common search terms. An attacker successfully tricked a user into running a malicious file posing as a legitimate Cisco Webex installer by taking advantage of a DLL sideloading vulnerability within the ptService.exe module, using a hidden loading program and trusted process to disguise the attack.
The malicious loader, known as HijackLoader, executed an AutoIT script (GraphicsFillRect.au3) to steal credentials and establish a connection to a C2 server. This multi-stage attack combined social engineering, DLL sideloading, and process injection techniques. The C2 server was identified as part of the Vidar botnet based on its IP address.
Subsequently, the AutoIT script was observed extracting login data from various browsers and establishing connections to additional executables in the ProgramData folder. The malware further exploited a COM Elevation Moniker vulnerability to bypass User Account Control, gain administrator privileges, and disable Windows Defender.
The malware was injected into MSBuild.exe, connecting to a suspicious IP address to download a cryptominer. A PowerShell script was then launched, executing obfuscated commands and loading a malicious DLL through a legitimate VMware process.
Overall, this sophisticated information theft campaign highlights the importance of staying vigilant against social engineering tactics and the need for robust security measures to detect and prevent such attacks. With attackers continuously evolving their methods, organizations must remain proactive in defending against cyber threats to safeguard sensitive information and maintain the integrity of their systems.
Article Source
https://cybersecuritynews.com/weaponized-cisco-webex-meetings-app/amp/
