Info Stealing Campaign Uses DLL Sideloading Through Legitimate Cisco Webex’s Binaries for Initial Execution and Defense Evasion

By Ale Houspanossian · June 17, 2024

Case Summary

It was a quiet Monday morning in March 2024 when the EDR researchers with our Trellix Advanced Research Center identified an interesting sequence of High Confidence detections in Trellix EDR telemetry. Trellix researchers dove right into the opportunity and uncovered what appeared to be a fresh and evasive attack campaign affecting customers in Latin America and Asia Pacific.

Adversaries had managed to trick users into downloading password-protected archive files containing trojanized copies of a Cisco Webex Meetings App (ptService.exe). When unsuspecting victims extracted and executed a 'Setup.exe' binary file, the Cisco Webex Meetings application covertly loaded a stealthy malware loader, which led to the execution of an information-stealing module.

The initial malicious loader, identified by our team as an instance of HijackLoader, was first reported in 2023 as a stealthy loader designed for defense evasion [1]. The infostealer, identified as the notorious Vidar Stealer [2], is designed to siphon credentials and other sensitive data before stealthily sending it back to the attackers’ servers. By hijacking the execution of legitimate Cisco Webex processes the malware was able to remain undetected by antivirus and threat detection solutions.

Our researchers discovered and documented multiple threat behaviors related to the following tactical phases: initial access, persistence, privilege escalation, defense evasion, credential access and more. The extremely low detections in threat feeds indicated this was a fresh campaign specifically designed to evade security controls.

Fortunately, Trellix EDR built-in detections were able to detect several of the threat behaviors and categorize them with high confidence.

Introduction

This article focuses on a novel information stealing campaign. The article reports on observed tactics, techniques, and procedures (TTPs), detection opportunities, and [spoiler alert] how Trellix EDR effectively detects and enables the security teams to respond quickly against this campaign. The Mitre ATT&CK framework is used to classify the TTPs, behaviors, and detection opportunities.

Through careful analysis, we uncover the tactics, techniques, and procedures (TTPs) used in this attack campaign. Leveraging Mitre ATT&CK framework, and evaluation of the EDR product capabilities, we classify the full range of TTPs employed and map out detection opportunities to empower security teams to defend against this threat.

Our findings detail the step-by-step progression of the campaign from initial access to execution to credential access through communication with the C2 server.

By comprehensively detailing this campaign’s behaviors, insights, and associated observables and IOCs, in this writeup we intend to provide actionable intelligence needed to mitigate this form of attack.

Finally, we share some recommendations against this campaign and similar threats.

Spoiler alert: Trellix EDR was effective in unveiling multiple stages of attack with high confidence built-in detections and providing rich visibility to contextualize the detections and enable further investigation.

Tactics, Techniques and Procedures (TTPs)

In the next sections we present a summary of the observed TTPs for different stages of the attack.

Initial Access, Initial Execution and Defense Evasion

Adversaries tricked users into downloading malicious password-protected archive files that were disguised as free/pirated copies of commercial software. The file is a password-protected archive (zip file extension), with the password provided in the file name
(!$Full_pAssW0rd_4434_$etup.zip). This file contains a .rar archive file
(!$Full_pAssW0rd_4434_$etup.rar) and two .txt files.

A quick search on VirusTotal for similar names outputs ~400 results (with submissions since 2024), suggesting our finding is part of a larger campaign.

User Execution (T1204)

Adversary lured victims into executing a PE file contained in a password-protected archive file. Initial execution is achieved when the victim executes Setup.exe (a copy of Cisco Webex Meetings App Service ptService Module).

Hijack Execution Flow: DLL Side-Loading (T1574.002)

Adversary used DLL Sideloading through legitimate Cisco Webex Meetings App Service ptService Module (ptService.exe) to covertly launch a malicious loader.

Process Injection (T1055)

Malicious loader (HijackLoader) injected into a Windows Binary (more.com).

Command And Control and Credential Access

Execution of HijackLoader (more.com) results in the download and execution of an AutoIT3 binary, which in turns performs credential access and maintains sustained network connectivity to C2 server.

Ingress Tool Transfer (T1105)

HijackLoader (more.com) downloaded and executed an AutoIT3 binary (GraphicsFillRect.au3).

Application Layer Protocol: Web Protocols (T1071.001)

AutoIT3 binary (GraphicsFillRect.au3) maintained sustained network connections to a command and control (C2) server at IP address 78[.]47.78.87, which is classified as Vidar botnet at https://threatfox.abuse.ch/ioc/1246569.

Credentials From Password Stores: Credentials from Web Browsers (T1555.003)

AutoIT3 binary (GraphicsFillRect.au3), while maintaining sustained network connections to C2 server, accessed internal files of Web browsers (Chrome and Firefox) and Zoom programs. It is inferred that the malware managed to steal data and exfiltrate it to the C2 server.

Ingress Tool Transfer (T1105)

AutoIT3 binary (GraphicsFillRect.au3) downloads additional PE files (and drops them in the ProgramData folder).

Privileges Escalation, Defense Evasion, and Resource Hijacking

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

The malware employs a known technique for bypassing User Account Control (UAC). GraphicsFillRect.au3 performed an API call (CoGetObject) to the COM Elevation Moniker to exploit the CMSTPLUA COM interface for privilege escalation.

This results in the payload being executed as a child process of DllHost.exe with system integrity level:

Eventually the same pattern is used to execute another PE file (AFIEGIECGC.exe)

Impair Defenses: Modify Security Tools (T1562.001)

After privilege escalation, the malware added itself to Windows Defender’s exclusion list for Defense Evasion.

Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)

Malware launched and injected into MSBuild.exe. MSBuild.exe performed sustained network connections to suspicious IP addresses

Resource Hijacking (T1496)

MSBuild.exe performed sustained network connections to suspicious IP addresses and triggered the execution of .NET binary AddInProcess.exe in an attempt to execute a cryptominer.

Additional payloads (T1059.001)

AFIEGIECGC.exe launched execution of a PowerShell script, through CMD.exe and Explorer.exe.

Execution of PowerShell script files resulted in the creation and execution of a malicious PE file (cXVgMt7JM.pif). Execution of cXVgMt7JM.pif introduced a legitimate copy of VMWare’s VMwareHostOpen.exe and multiple DLL files. Execution of VMwareHostOpen.exe resulted in a malicious DLL (vmtools.dll) being executed via DLL Side-loading.

Trellix EDR, Detection Opportunities and ATT&CK Mapping

Trellix EDR was effective in unveiling multiple stages of attack with high confidence built-in detections and providing rich visibility to contextualize the detections and enable further investigation. Trellix EDR raised High Severity alerts that helped SOC analysts to quickly spot the suspicious activity.

Trellix EDR UI provides a clear view of the execution chain, which starts from the user execution of the content of a weaponized archive file. Screenshot on main Trellix EDR Monitoring Workspace below:

User Execution (T1204)

Trellix EDR Process Monitoring capabilities, including Process Lineage Analysis and Command-line analysis enable the following detection opportunities:

• Detect Process Execution Initiated By Archive Utility
• Detect Process Execution of PE Files Delivered in Archive Files
• Detect Process Execution from Commonly Abused Directories

Ingress Tool Transfer (T1105)

Trellix EDR File Creation analysis capabilities enable the following detection opportunities:

• Detect File Creation of Cisco Webex ptService.exe by Unexpected Process
• Detect File Creation of VMWare’s VMwareHostOpen.exe by Unexpected Process
• Detect File Creation and Execution of AutoIt3 Binary by Unexpected Process

Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)

Trellix EDR Process Monitoring and API Call analysis capabilities enable the following detection opportunities:

• Detect Api Calls To Elevation Moniker by Unexpected Process
• Detect Process Execution Spawned by DllHost.exe

Credentials From Password - Stores: Credentials from Web Browsers (T1553.003)

Trellix EDR File Access analysis capabilities enable the following detection opportunities:

• Detect File Access to Web Browsers Password Stores Files by Unexpected Process

Application Layer Protocol: Web Protocols (T1071.001)

Trellix EDR Network Flow analysis capabilities enable the following detection opportunities:

• Detect Network Connections Attempts by AutoIT3 Process
• Detect Network Connections Attempts by .NET Binaries

Process Injection (T1055)

Trellix EDR Network Flow analysis capabilities enable the following detection opportunities:

• Detect Process Injection against System and .NET Binaries (e.g. MSBuild.exe, AddInProcess.exe) by Unexpected Process

Further Stages of the Attack

Further stages are not covered in this work. Info stealing campaigns can certainly lead to a variety of high impact threats.

Summary and Recommendations

Many modern cyber threats are composed of a multi-stage strategy. Adversaries leverage various tricks for achieving Initial Access and Execution. In this case we have unveiled a case where password-protected malicious archive files are used to deliver malicious DLLs. And the usage of DLL Sideloading technique for achieving Initial Execution of a malicious loader (HijackLoader). Later on, AutoIt3, a less known script interpreter, is used to launch execution of an InfoStealer with Defense Evasion, Credential Access, C2 and Exfiltration capabilities.

Recommendations:

• User training: Highlight the risk of downloading and executing software from unknown sources
• Closely monitor EDR alerts: (that might indicate multiple adversarial tactics like Initial Access, Credential Access, Command And Control, Persistence, Privilege Escalation, Defense Evasion)
• Endpoint Protections:
  • Block download of unexpected file formats like AutoIT3 (.au3) binaries and scripts.
  • Block network connections initiated by commonly abused .NET and/or system binaries (e.g., MSBuild.exe, AddInProcess.exe)
  • Block execution of unexpected file formats like AutoIT3 (.au3) binaries and scripts.
  • Block PE File Creation on paths commonly used by malware (e.g,: %PROGRAMDATA%)

Even when Initial Access for this campaign has not been confirmed, the CISA’s counter-phishing recommendations [5] apply well to this and similar campaigns.

Reference

1. https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html
2. https://www.cisa.gov/sites/default/files/publications/Capacity_Enhancement_Guide-Counter-Phishing_Recommendations_for_Federal_Agencies.pdf

Appendix A. IOCs

IOCs observed in EDR telemetry enriched with VT reputation. Does not indicate maliciousness.

Appendix B. Content of the malicious archive files

Appendix C. Summary of TTPs