Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

June 20, 2024, 2:41 p.m.

Description

In March 2024, researchers at the Trellix Advanced Research Center uncovered a sophisticated and evasive attack campaign targeting users in Latin America and Asia Pacific through trojanized copies of the Cisco Webex Meetings App. This campaign employed a stealthy malware loader, known as HijackLoader, and an information-stealing module identified as Vidar Stealer, to siphon off credentials and sensitive data undetected by leveraging legitimate processes.

External References

https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign/
https://otx.alienvault.com/pulse/66741e317c3c49898c2e2638
Tags
service
2024-06-20
autoit3
module
cisco webex
vt sustained
vt powershell
systems
meetings app
vt executed
pe payload

Date

  • Created: June 20, 2024, 12:18 p.m.
  • Published: June 20, 2024, 12:18 p.m.
  • Modified: June 20, 2024, 2:41 p.m.

Indicators

  • fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
  • f9675304d13efaee32e6b4a3317b64231a59b684532a898d12b4e7ed88518afd
  • f5151914cbffe70c53b1d85873b0da88349f46cc4aa36e915142bc3929fc75f9
  • ee32f4cbba3a601d57064695a8ed5955e1b9af984110d34504b8d5ebb132c084
  • e958f4ed8272a96e599ff9f0a79331e7b5109104a9d20d3f760c7eb162daf7e0
  • db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45
  • d4a0db913fa555808ce627114fe6e2725970499c70364edbedf47d907d52242d
  • d3ba1adbfeef8f19e4aa570299c06d39a87dfc5fe3d85946270b722e44dacda7
  • d0c3b82f1e0df8cc683adc42a2272ecf85cb46508a9bfb06c2478b7b125651aa
  • ca53407b356fcdea51a6d536447ed6b88ad14c87facf421080d141cae837eedc
  • c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
  • bd8486225884900084a82273ead6716ee5e52c6ad0f35cdfc487f422188ea30f
  • 979851cac4a2a0e394f06ca7139d7402911048b094f550dd9b33d1203ae92862
  • 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
  • 8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c
  • 88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
  • 7dbc0aa8fff43581f4c81695c3ea1dedbe57a13e4f76c3ecb5c0009917f331f0
  • 8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20
  • 725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
  • 629b4cef2c394c6a1fad37e5ac6f497b3bdac489270d54f4e98c5dfc925ea883
  • 5d447f1fe007dae3b9ad0687212e71cdec0343f6385fcc2db4ee3e0198e995c0
  • 58cc0c31514e89a743c9b96c7892c256cd9daaa18bdcff784b8ddb1d5c15a163
  • 4d0e4540a57cb447356e1684f2d2f069eccb185ce798843d90a41e115472332b
  • 346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
  • 33286a66f457328432180f9a7d2b82e456aacef6b2aa0833d74ecd1d51687f55
  • 27cf1ecb18d6f669dfbd4cf4dd552c4db87ab8727a873a580166411f93aabaa5
  • 239ee815e006884993f263688f3627064ba406bfa234eebb0068ee82b7170396
  • 15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
  • 0f2b3d012a9abe420bc36c62847bba6ca4478ceebc018bad2b19f22d481fcc10
  • 78.47.78.87
  • 50.7.22.10
  • 185.172.128.87
  • 185.172.128.212
  • 144.76.154.59
  • 139.99.16.105
  • keningsberguersfax.com
Download all indicators here!

Attack Patterns

  • Trojan:Win32/Amadey
  • Trojan:Win32/VidarStealer
  • HijackLoader
  • Unknown
  • T1127.001
  • T1559.001
  • T1073
  • T1574.002
  • T1555.003
  • T1059.001
  • T1071.001
  • T1070.004
  • T1562.001
  • T1105
  • T1496
  • T1055
  • T1204
  • T1041
  • T1059