Intrusions leveraging trojanized versions of the Cisco Webex Meetings app disguised as free or cracked copies of the software have been launched to facilitate the deployment of the Vidar Stealer malware, reports The Hacker News.
Extraction and execution of the "Setup.exe" binary file within the password-protected archive files containing the malicious app was followed by DLL side-loading that would deliver the Hijack Loader malware, also known as IDAT Loader or DOILoader, which would then distribute the Vidar Stealer, an analysis from Trellix revealed. Aside from using Vidar Stealer to exfiltrate browser credentials and achieve escalated privileges, more payloads are then retrieved for cryptocurrency mining malware delivery, according to researchers. Such a development comes amid a Proofpoint report detailing separate campaigns using social engineering techniques to execute PowerShell that would prompt the installation of malicious payloads, including the Lumma Stealer, DarkGate, and NetSupport RAT. "The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult," said Proofpoint.
