Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

MITRE Techniques

• [T1204] User Execution – Adversary lured victims into executing a PE file contained in a password-protected archive file. ‘Adversary lured victims into executing a PE file contained in a password-protected archive file.’
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Adversary used DLL Sideloading through legitimate Cisco Webex Meetings App Service ptService Module to covertly launch a malicious loader. ‘Adversary used DLL Sideloading through legitimate ‘
• [T1055] Process Injection – Malicious loader (HijackLoader) injected into a Windows Binary (more.com). ‘Malicious loader (HijackLoader) injected into a Windows Binary (more.com)’
• [T1105] Ingress Tool Transfer – HijackLoader downloaded and executed an AutoIT3 binary (GraphicsFillRect.au3). ‘HijackLoader (more.com) downloaded and executed an AutoIT3 binary (GraphicsFillRect.au3).’
• [T1071.001] Application Layer Protocol: Web Protocols – AutoIT3 maintained sustained network connections to a C2 server at IP address 78.47.78.87 (Vidar botnet). ‘maintained sustained network connections to a command and control (C2) server at IP address 78[.]47.78.87, which is classified as Vidar botnet’
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – AutoIT3 accessed internal files of Web browsers (Chrome/Firefox) and Zoom. ‘Accessed internal files of Web browsers (Chrome and Firefox) and Zoom programs.’
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – CoGetObject API call via CMSTPLUA COM interface for elevation. ‘API call (CoGetObject) to the COM Elevation Moniker to exploit the CMSTPLUA COM interface for privilege escalation.’
• [T1127.001] MSBuild – Malware launched and injected into MSBuild.exe; sustained network connections. ‘Malware launched and injected into MSBuild.exe… MSBuild.exe performed sustained network connections to suspicious IP addresses’
• [T1496] Resource Hijacking – AddInProcess.exe cryptominer execution via .NET AddInProcess. ‘Resource Hijacking (T1496)… triggered the execution of .NET binary AddInProcess.exe in an attempt to execute a cryptominer.’
• [T1041] Exfiltration Over C2 Channel – Vidar Stealer can exfiltrate data over C2 channel. ‘Exfiltration Over C2 Channel (T1041) … can exfiltrate data over command and control (C2) channel’
• [T1059.001] PowerShell – PowerShell-based execution paths; script files led to malicious payloads. ‘PowerShell script files resulted in the creation and execution of a malicious PE file (cXVgMt7JM.pif).’
• [T1070.004] Indicator Removal: File Deletion – CMD used to delete malware files after execution. ‘CMD command to delete malware files.’