Menace actors are luring unsuspecting customers with free or pirated variations of business software program to ship a malware loader known as Hijack Loader, which then deploys an data stealer generally known as Vidar Stealer.
“Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe),” Trellix safety researcher Ale Houspanossian mentioned in a Monday evaluation.
“When unsuspecting victims extracted and executed a ‘Setup.exe’ binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module.”
The place to begin is a RAR archive file that accommodates an executable title “Setup.exe,” however in actuality is a replica of Cisco Webex Conferences’s ptService module.
What makes the marketing campaign noteworthy is the usage of DLL side-loading methods to stealthily launch Hijack Loader (aka DOILoader or IDAT Loader), which then acts as a conduit to drop Vidar Stealer by the use of an AutoIt script.
“The malware employs a known technique for bypassing User Account Control (UAC) and exploiting the CMSTPLUA COM interface for privilege escalation,” Houspanossian mentioned. “Once privilege escalation had succeeded, the malware added itself to Windows Defender’s exclusion list for defense evasion.”
The assault chain, in addition to utilizing Vidar Stealer to siphon delicate credentials from net browsers, leverages extra payloads to deploy a cryptocurrency miner on the compromised host.
The disclosure follows a spike in ClearFake campaigns that entice website guests into manually executing a PowerShell script to deal with a supposed concern with viewing net pages, a method beforehand disclosed by ReliaQuest late final month.
The PowerShell script then serves as a launchpad for Hijack Loader, which in the end delivers the Lumma Stealer malware. The stealer can be geared up to obtain three extra payloads, together with Amadey Loader, a downloader that launches the XMRig miner, and a clipper malware to reroute crypto transactions to attacker-controlled wallets.
“Amadey was noticed to obtain different payloads, for instance a Go-based malware believed to be JaskaGO,” Proofpoint researchers Tommy Madjar, Dusty Miller, and Selena Larson mentioned.
The enterprise safety agency mentioned it additionally detected in mid-April 2024 one other exercise cluster dubbed ClickFix that employed defective browser replace lures to guests of compromised websites with a view to propagate Vidar Stealer utilizing an identical mechanism involving copying and operating PowerShell code.
One other menace actor that has embraced the identical social engineering tactic in its malspam campaigns is TA571, which has been noticed sending emails with HTML attachments that, when opened, show an error message: “The ‘Word Online’ extension is not installed in your browser.”
The message additionally options two choices, “How to fix” and “Auto-fix.” If a sufferer selects the primary possibility, a Base64-encoded PowerShell command is copied to the pc’s clipboard adopted by directions to launch a PowerShell terminal and right-click the console window to stick the clipboard content material and execute code chargeable for operating both an MSI installer or a Visible Primary Script (VBS).
Equally, customers who find yourself deciding on the “Auto-fix” are displayed WebDAV-hosted information named “fix.msi” or “fix.vbs” in Home windows Explorer by making the most of the “search-ms:” protocol handler.
Whatever the possibility chosen, the execution of the MSI file culminates within the set up of Matanbuchus, whereas the execution of the VBS file results in the deployment of DarkGate.
Different variants of the marketing campaign have additionally resulted within the distribution of NetSupport RAT, underscoring makes an attempt to switch and replace the lures and assault chains even supposing they require vital interplay on a part of the consumer in order to achieve success.
“The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult,” Proofpoint mentioned.
“As antivirus software and EDRs will have issues inspecting clipboard content, detection and blocking needs to be in place prior to the malicious HTML/site being presented to the victim.”
The event additionally comes as eSentire disclosed a malware marketing campaign that leverages lookalike web sites impersonating Certainly[.]com to drop the SolarMarker information-stealing malware by way of a lure doc that purports to supply team-building concepts.
“SolarMarker utilizes search engine optimization (SEO) poisoning techniques to manipulate search engine results and boost the visibility of deceptive links,” the Canadian cybersecurity firm mentioned.
“The attackers’ use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate.”
