Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys an information stealer known as Vidar Stealer.
“Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe),” Trellix security researcher Ale Houspanossian said in a Monday analysis.
“When unsuspecting victims extracted and executed a ‘Setup.exe’ binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module.”
The starting point is a RAR archive file that contains an executable name “Setup.exe,” but in reality is a copy of Cisco Webex Meetings’s ptService module.
What makes the campaign noteworthy is the use of DLL side-loading techniques to stealthily launch Hijack Loader (aka DOILoader or IDAT Loader), which then acts as a conduit to drop Vidar Stealer by means of an AutoIt script.
“The malware employs a known technique for bypassing User Account Control (UAC) and exploiting the CMSTPLUA COM interface for privilege escalation,” Houspanossian said. “Once privilege escalation had succeeded, the malware added itself to Windows Defender’s exclusion list for defense evasion.”
The attack chain, besides using Vidar Stealer to siphon sensitive credentials from web browsers, leverages additional payloads to deploy a cryptocurrency miner on the compromised host.
The disclosure follows a spike in ClearFake campaigns that entice site visitors into manually executing a PowerShell script to address a supposed issue with viewing web pages, a technique previously disclosed by ReliaQuest late last month.
The PowerShell script then serves as a launchpad for Hijack Loader, which ultimately delivers the Lumma Stealer malware. The stealer is also equipped to download three more payloads, including Amadey Loader, a downloader that launches the XMRig miner, and a clipper malware to reroute crypto transactions to attacker-controlled wallets.
“Amadey was observed to download other payloads, for example a Go-based malware believed to be JaskaGO,” Proofpoint researchers Tommy Madjar, Dusty Miller, and Selena Larson said.
The enterprise security firm said it also detected in mid-April 2024 another activity cluster dubbed ClickFix that employed faulty browser update lures to visitors of compromised sites in order to propagate Vidar Stealer using a similar mechanism involving copying and running PowerShell code.
Another threat actor that has embraced the same social engineering tactic in its malspam campaigns is TA571, which has been observed sending emails with HTML attachments that, when opened, display an error message: “The ‘Word Online’ extension is not installed in your browser.”
The message also features two options, “How to fix” and “Auto-fix.” If a victim selects the first option, a Base64-encoded PowerShell command is copied to the computer’s clipboard followed by instructions to launch a PowerShell terminal and right-click the console window to paste the clipboard content and execute code responsible for running either an MSI installer or a Visual Basic Script (VBS).
Similarly, users who end up selecting the “Auto-fix” are displayed WebDAV-hosted files named “fix.msi” or “fix.vbs” in Windows Explorer by taking advantage of the “search-ms:” protocol handler.
Regardless of the option chosen, the execution of the MSI file culminates in the installation of Matanbuchus, while the execution of the VBS file leads to the deployment of DarkGate.
Other variants of the campaign have also resulted in the distribution of NetSupport RAT, underscoring attempts to modify and update the lures and attack chains despite the fact that they require significant interaction on part of the user so as to be successful.
“The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult,” Proofpoint said.
“As antivirus software and EDRs will have issues inspecting clipboard content, detection and blocking needs to be in place prior to the malicious HTML/site being presented to the victim.”
The development also comes as eSentire disclosed a malware campaign that leverages lookalike websites impersonating Indeed[.]com to drop the SolarMarker information-stealing malware via a lure document that purports to offer team-building ideas.
“SolarMarker utilizes search engine optimization (SEO) poisoning techniques to manipulate search engine results and boost the visibility of deceptive links,” the Canadian cybersecurity company said.
“The attackers’ use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate.”
