Cybercriminals Use Free Software Lures to Deploy Malware Loader

Cybercriminals are enticing users with free or pirated versions of commercial software to install a malware loader known as Hijack Loader, which subsequently deploys the Vidar Stealer information stealer.

Researcher revealed that adversaries tricked users into downloading password-protected archive files containing trojanized copies of the Cisco Webex Meetings App (ptService.exe). When victims extracted and executed the “Setup.exe” binary file, the Cisco Webex Meetings application covertly loaded Hijack Loader, which then executed an information-stealing module.

The attack begins with a RAR archive file containing an executable named “Setup.exe,” which is actually a copy of Cisco Webex Meetings’ ptService module. The campaign is notable for its use of DLL side-loading techniques to stealthily launch Hijack Loader (also known as DOILoader or IDAT Loader). This loader then drops Vidar Stealer via an AutoIt script.

The malware bypasses User Account Control (UAC) and exploits the CMSTPLUA COM interface for privilege escalation. Once successful, it adds itself to Windows Defender’s exclusion list to evade detection. Besides stealing sensitive credentials from web browsers, the malware also deploys a cryptocurrency miner on the compromised host.

This disclosure follows an increase in ClearFake campaigns that trick users into manually executing a PowerShell script to resolve supposed web page viewing issues, a technique previously identified by ReliaQuest. The PowerShell script launches Hijack Loader, which then delivers the Lumma Stealer malware. Lumma Stealer downloads additional payloads, including Amadey Loader, XMRig miner, and clipper malware to reroute cryptocurrency transactions.

TA571, another threat actor, used similar social engineering tactics in its malspam campaigns. Emails with HTML attachments displayed an error message, prompting users to copy and execute a Base64-encoded PowerShell command.

This command ran either an MSI installer or a Visual Basic Script (VBS), leading to the installation of Matanbuchus or DarkGate malware, respectively. Other variants of this campaign distributed NetSupport RAT.

These campaigns highlight the challenges in detecting such threats, as the malware execution requires significant user interaction and involves legitimate software and various storage methods. Detection needs to occur before the malicious HTML/site is presented to the victim, as antivirus software and EDRs struggle to inspect clipboard content.

Additionally, eSentire disclosed a malware campaign using lookalike websites impersonating Indeed[.]com to drop the SolarMarker information-stealing malware via a lure document offering team-building ideas.

SolarMarker uses search engine optimization (SEO) poisoning techniques to manipulate search results and increase the visibility of deceptive links, emphasizing the need for caution when clicking on search engine results.

To prevent falling victim to malware like Hijack Loader and Vidar Stealer, users should avoid downloading software from untrusted sources. Employing robust endpoint security solutions that can detect and block malware, regularly updating all software, and enabling User Account Control (UAC) can provide additional layers of protection.