Alert essentials:
In a new threat campaign, users download trojanized copies of the Cisco Webex Meetings App. The zip files download a malicious .rar archive file and two text files disguised as a Cisco Webex.
Take immediate action by installing and monitoring endpoint solutions.
Detailed threat description:
HijackLoader is a malware loader discovered in the summer of 2023. The loader evaded earlier detection but did not include advanced features. Instead, hackers used the malware for code injection and execution.
New features that enhance the malware’s complexity and defense evasion have been added. Seven new modules were discovered in the tool during March and April of 2024.
The security community has released reports detailing hook bypass methods, process hollowing techniques, decrypting and parsing PNG images, and enhancing persistence.
By May 2024, the loader had an exclusion for Windows Defender antivirus, could bypass User Account Control (UAC), and evade inline hooking often used by security software. Fast-forward to June 2024, and the HijackLoader is a stealthy info stealer targeting Cisco Webex.
A new campaign was spotted that tricks users into downloading password-protected zip files disguised as a Cisco Webex installer. Yet when clicked, a DLL side-loading vulnerability in the real ptService.exe is used to launch a hidden loader. From there, an AutoIt script steals credentials and establishes a persistent connection to a C2 server.
The malware completes many more actions and then launches a PowerShell script. Running the script results in the creation and execution of a malicious PE file, triggering the execution of an information-stealing module that utilizes legitimate VMware executables and malicious DLLs.
Review CISA’s counter-phishing recommendations for tips and follow company procedures for training users on phishing emails. Additionally, alerts from endpoint technology that may indicate multiple adversarial tactics should be closely monitored.
Impacts on healthcare organizations:
As threat actors change tactics and create unique malware, healthcare institutions must remain highly alert to protect sensitive data and life-supporting patient care.
Recommendations
Engineering recommendations:
- Closely monitor EDR alerts
- Remind users NOT to download and execute software
- Block download of unexpected file formats, binaries, and scripts
Leadership / program recommendations:
- If it is not already part of the organization’s technology stack, consider installing endpoint protection or endpoint detection and response (EDR)
- Use incident response (IR) procedures to skill the team with appropriate actions if technology is unavailable
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Campaign details: https://cybersecuritynews.com/weaponized-cisco-webex-meetings-app
- Cisa Counter-Phishing Recommendations: https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Counter-Phishing_Recommendations_for_Federal_Agencies.pdf
- Gartner Endpoint Solutions: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
- TTPs: https://www.trellix.com/blogs/research/how-attackers-repackaged-a-threat-into-something-that-looked-benign