During an OSINT activity, our Malware Lab spotted a suspicious website offering the download of a ZIP file via a MediaFire link.
This ZIP file contained a legitimate executable signed by CISCO that, when executed, displayed malicious behaviour.
Inside the initial ZIP file was a second ZIP file protected by a password provided on the website.
Both ZIP files had names with special characters. The second ZIP file contained several files, including a malicious DLL and an executable called 'setup.exe'.
Although 'setup.exe' was legitimate and signed by CISCO, running it on a dynamic analysis platform (AnyRun), malicious behaviour was observed.
This happens because during execution the executable is infected by one of the DLLs included in the ZIP file, through a technique known as DLL side-loading.
The infection chain involves HijackLoader, a malware loader used to distribute payloads through evasive techniques. The sample analysed by the Malware Lab distributes Vidar, a malware that collects credentials from various application profiles, banking details and information on two-factor authentication (2FA) software and Tor Browser.
This report illustrates how DLL side-loading is exploited to execute unauthorised code from a legitimate installer, highlighting the infection chain that leads to the installation of HijackLoader and Vidar.
If you wish to learn more, here is the link to our full report.
In addition, you can subscribe to the specific mailing list Cyber Studios by Tinexta Defence, to receive updates on upcoming research: https://tinextadefence.it/mailing-list-cyber-studios/
