Back

Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

June 20, 2024, 2:41 p.m.

Tags

service
2024-06-20
autoit3
module
cisco webex
vt sustained
vt powershell
systems
meetings app
vt executed
pe payload

External References

https://www.trellix.com/

https://otx.alienvault.com/

Description

In March 2024, researchers at the Trellix Advanced Research Center uncovered a sophisticated and evasive attack campaign targeting users in Latin America and Asia Pacific through trojanized copies of the Cisco Webex Meetings App. This campaign employed a stealthy malware loader, known as HijackLoader, and an information-stealing module identified as Vidar Stealer, to siphon off credentials and sensitive data undetected by leveraging legitimate processes.

Date

Published Created Modified
June 20, 2024, 12:18 p.m. June 20, 2024, 12:18 p.m. June 20, 2024, 2:41 p.m.

Indicators

fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

f9675304d13efaee32e6b4a3317b64231a59b684532a898d12b4e7ed88518afd

f5151914cbffe70c53b1d85873b0da88349f46cc4aa36e915142bc3929fc75f9

ee32f4cbba3a601d57064695a8ed5955e1b9af984110d34504b8d5ebb132c084

e958f4ed8272a96e599ff9f0a79331e7b5109104a9d20d3f760c7eb162daf7e0

db46b6106dc1b30041ce3f287ded91166895ff3f1928250fc79dd46c444b1e45

d4a0db913fa555808ce627114fe6e2725970499c70364edbedf47d907d52242d

d3ba1adbfeef8f19e4aa570299c06d39a87dfc5fe3d85946270b722e44dacda7

d0c3b82f1e0df8cc683adc42a2272ecf85cb46508a9bfb06c2478b7b125651aa

ca53407b356fcdea51a6d536447ed6b88ad14c87facf421080d141cae837eedc

c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

bd8486225884900084a82273ead6716ee5e52c6ad0f35cdfc487f422188ea30f

979851cac4a2a0e394f06ca7139d7402911048b094f550dd9b33d1203ae92862

9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c

88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

7dbc0aa8fff43581f4c81695c3ea1dedbe57a13e4f76c3ecb5c0009917f331f0

8103f2cce6a864ceefe6c5b0c05087ac85ab04a2abf150e93bc9db90c54d9d20

725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

629b4cef2c394c6a1fad37e5ac6f497b3bdac489270d54f4e98c5dfc925ea883

5d447f1fe007dae3b9ad0687212e71cdec0343f6385fcc2db4ee3e0198e995c0

58cc0c31514e89a743c9b96c7892c256cd9daaa18bdcff784b8ddb1d5c15a163

4d0e4540a57cb447356e1684f2d2f069eccb185ce798843d90a41e115472332b

346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

33286a66f457328432180f9a7d2b82e456aacef6b2aa0833d74ecd1d51687f55

27cf1ecb18d6f669dfbd4cf4dd552c4db87ab8727a873a580166411f93aabaa5

239ee815e006884993f263688f3627064ba406bfa234eebb0068ee82b7170396

15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

0f2b3d012a9abe420bc36c62847bba6ca4478ceebc018bad2b19f22d481fcc10

78.47.78.87

50.7.22.10

185.172.128.87

185.172.128.212

144.76.154.59

139.99.16.105

Attack Patterns

Trojan:Win32/Amadey

Trojan:Win32/VidarStealer

HijackLoader

Unknown

T1127.001

T1559.001

T1073

T1574.002

T1555.003

T1059.001

T1071.001

T1070.004

T1562.001

T1105

T1496

T1055

T1204

T1041

T1059