In order to transmit a malware loader known as Hijack Loader, which then deploys an information stealer known as Vidar Stealer, threat actors are luring unsuspecting consumers by offering free or pirated versions of commercial software.

“Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe),” commented Trellix security researcher Ale Houspanossian in an investigation published on Monday.

“When unsuspecting victims extracted and executed a ‘Setup.exe’ binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module.”

It is a copy of the ptService module used by Cisco Webex Meetings. The starting point is a RAR archive file that contains an executable named “Setup.exe,” which is actually a malware loader.

You might be interested in: What to do when you get a phishing email?

What makes the campaign interesting is the utilization of DLL side-loading techniques to covertly start Hijack Loader (also known as DOILoader or IDAT Loader), which then functions as a conduit to drop Vidar Stealer through the use of an AutoIt script.

“The malware employs a known technique for bypassing User Account Control (UAC) and exploiting the CMSTPLUA COM interface for privilege escalation,” Houspanossian explained. “Once privilege escalation succeeded, the malware added itself to Windows Defender’s exclusion list for defense evasion.”

In addition to utilizing Vidar Stealer to steal sensitive credentials from web browsers, the attack chain also employs other payloads to install a bitcoin miner on the compromised host.

The announcement follows an increase in ClearFake efforts that trick site visitors into manually executing a PowerShell script to fix a purported problem with viewing web pages. This method was previously exposed by ReliaQuest at the end of the last month.

The PowerShell script then acts as a launchpad for Hijack Loader, which ultimately delivers malware known as Lumma Stealer. The stealer is also equipped to download three more payloads: Amadey Loader, a downloader that launches the XMRig miner, and a clipper malware that reroutes cryptocurrency transactions to wallets controlled by the attacker.

According to Proofpoint researchers Tommy Madjar, Dusty Miller, and Selena Larson, “Amadey was observed to download other payloads, such as a Go-based malware believed to be JaskaGO.”

The enterprise security company also discovered another activity cluster around the middle of April 2024, named ClickFix. This cluster used defective browser update lures to communicate with users of infected websites, spreading Vidar Stealer through a process very similar to copying and running PowerShell code.

Another threat actor that has adopted the same social engineering strategy in its malspam campaigns is TA571. This threat actor has been spotted sending emails with HTML attachments that, when opened, display an error message reading: “The ‘Word Online’ extension is not installed in your browser.”

The message provides two options: “How to fix” and “Auto-fix.” If a victim chooses the first option, a Base64-encoded PowerShell command is copied to the computer’s clipboard. Instructions then follow to launch a PowerShell terminal and right-click the console window to paste the contents of the clipboard, executing code responsible for running either an MSI installer or a Visual Basic Script (VBS).

Utilizing the “search-ms:” protocol handler, users who choose the “Auto-fix” option are shown WebDAV-hosted files named “fix.msi” or “fix.vbs” in Windows Explorer.

The execution of the MSI file results in the installation of Matanbuchus, whereas the execution of the VBS file results in the deployment of DarkGate, regardless of the option selected.

Other variants of the campaign have also resulted in the distribution of NetSupport RAT, highlighting that attempts have been made to change and update the lures and attack chains, despite the fact that they require significant user interaction to be successful.

“The legitimate use, the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, make detection of these types of threats difficult,” the security company said.

“As antivirus software and EDRs will have issues inspecting clipboard content, detection and blocking need to be in place prior to the malicious HTML/site being presented to the victim.”

This discovery also coincides with eSentire uncovering a malware operation using lookalike websites that impersonate Indeed.com to distribute the SolarMarker information-stealing virus through a lure document promising team-building suggestions.

“SolarMarker employs search engine optimization (SEO) poisoning techniques to manipulate search engine results and boost the visibility of deceptive links,” the Canadian cybersecurity firm stated.

“The attackers’ use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate.”