A novel information-stealing campaign has been revealed, showcasing sophisticated tactics including social engineering and DLL side-loading. Attackers trick users into downloading password-protected ZIP files disguised as legitimate software. These ZIP files contain embedded RAR archives and text files, with filenames reflecting common search terms for pirated software, suggesting a broader targeting strategy.
The attackers exploit a DLL side-loading vulnerability in a legitimate Cisco Webex installer to launch a hidden loader program. This multi-stage attack combines social engineering with process injection techniques to conceal malicious activities. The loader then integrates itself into a trusted process, further obscuring its actions.
HijackLoader, a malware loader, executes an AutoIT script designed to steal credentials and maintain a persistent connection to a command and control server. This process involves techniques for tool transfer and application layer communication, indicating the attackers’ sophisticated approach to data exfiltration and persistence.
The malware further exploits vulnerabilities to bypass User Account Control, disable Windows Defender, and inject itself into other processes. It eventually executes a series of obfuscated commands through PowerShell, ultimately delivering a cryptominer via a legitimate VMware process. This multi-faceted approach highlights the complexity and scale of the attack.
Reference:
