Cybercriminals have come up with a new information-stealing campaign using Cisco Webex apps.
Experts have uncovered this latest dubious operation. They also explained the hackers’ tactics, techniques, and procedures (TTP). These professionals used the Mitre ATT&CK framework to categorize these TTPs. They were also able to identify possible detection points.
Researchers were able to determine virus attacks by examining the campaign’s behavior. They also analyzed the communications with the command and control (C2) server.
A Brief Overview of the Attack
Cybercriminals used social engineering to make users download password-protected archives. These ZIP files looked like legitimate software.
The archive filenames carried the password (!$Full_pAssW0rd_4434_$etup.zip). Hackers embedded them in RAR archives and text files.
A VirusTotal search showed that individuals submitted about 400 identical filenames since 2024. This indicates a broader campaign. It also hints at attackers choosing victims by leveraging common search terms. They focused on those using terms for pirated software. The hackers also integrated patterns like “!@Full_FiIe_lnSide@!” or “!@passcode_” in the filenames.
How the Malware Worked
One hacker tricked a user into running a malicious file. They disguised the file as a legitimate Cisco Webex installer (Setup.exe). This exploited a DLL side-loading vulnerability in the real ptService.exe module. It caused a hidden loader program to launch.
The loader embedded itself into a different, trusted process (more.com) afterward. This further obfuscated the illegal activities.
The attack had several stages. It combined social engineering (T1204) and DLL side-loading (T1574.002). It also incorporated a process injection (T1055).This latest malware campaign highlights the advanced methods hackers are using today. Security experts were able to detect and learn from these virus attacks. They did it by understanding the detailed TTPs. They also leveraged the Mitre ATT&CK framework.
