IMCAFS

Home

cisco redirection vulnerability is exploited and can jump to malware download site through spam

Posted by trammel at 2020-04-08
all

Cisco redirection vulnerability of homepage technology is exploited, which can jump to malware download site through spam

Instant news 2019-11-09 21:55:28 technology reading 9 comments

Abstract: according to Lei feng.com on November 9, researchers have found a new spam spreading activity, which disguises as a meeting invitation of WebEx (a subsidiary of Cisco, which creates required software solutions for companies of all sizes), and pushes the remote access Trojan to the recipients with the open redirection holes of Cisco. The attacker disguised the spam as WebEx's conference video invitation email, and implanted warzone remote access Trojan (rat) in it.

According to Lei feng.com on November 9, researchers have found a new spam spreading activity, which disguises as a meeting invitation of WebEx (a subsidiary of Cisco, which creates required software solutions for companies of all sizes), and uses the redirection vulnerability opened by Cisco to push the remote access Trojan to the recipient.

By using the open redirect vulnerability, an attacker could redirect visitors to other sites they want by allowing legitimate sites to allow unauthorized users to create URLs on the site, the researchers said.

This allows attackers to use the URL address of well-known companies for malware or phishing activities, and increases the legitimacy of spam URL address and the chance for victims to click the URL address.

WebEx conference email jump to malicious site

The attacker disguised the spam as WebEx's conference video invitation email, and implanted warzone remote access Trojan (rat) in it.

In fact, the researchers believe that the spam originally did not differ from the formal WebEx conference invitation, and even had detailed installation steps disguised as real WebEx video software.

The difference is that it uses the vulnerability to realize site jump.

Legitimate invitation to download webex.exe client

When the user clicks the download conference program, the shortcut download button will jump to the automatic installation site of the remote access Trojan. Once installed, the client allows participants to view host screens, share their screens, share files, chat with other users, and so on.

Because WebEx is owned by Cisco, using this URL address is likely to make users mistakenly believe that webex.exe is a legitimate WebEx client, which is usually pushed to users when they join the conference.

The only problem is that this webex.exe is not a legitimate WebEx client, but a rat that allows attackers to fully access the victim's PC side.

Fake WebEx meeting email

Attack process

After installation, rat will copy itself to% appdata% \ services.exe and% userprofile% \ musnotificationux \ musnotificationux.vbs \ avitil32.exe, and then create an automatic startup program to run malware at the same time of startup.

It will also create a shortcut in the startup folder to launch% userprofile% \ musnotificationux \ musnotificationux.vbs, which will execute the avitil32.exe file.

According to the previous samples uploaded to hybrid analysis, this program is warzone rat, and some VirusTotal definitions indicate that it may be avemaria Trojan.

Based on the commands found in the attack example, the rat has the following functions:

Download and execute software

Executive order

Remote use of webcam

Delete files

Enable remote desktop services for remote access

Enable VNC for remote access

Log keystroke

Steal Firefox and chrome passwords

Users under the above attacks need to be scanned immediately for infection on their computers, assuming that all login credentials for their access to the website are compromised, and their passwords should be changed immediately.

Reference link: bleepingcomputer

More interesting content, please pay attention to Lei Feng network security column or WeChat network's official account of WeChat public.