Cisco redirection vulnerability of homepage technology is exploited, which can jump to malware download site through spam
Instant news 2019-11-09 21:55:28 technology reading 9 comments
Abstract: according to Lei feng.com on November 9, researchers have found a new spam spreading activity, which disguises as a meeting invitation of WebEx (a subsidiary of Cisco, which creates required software solutions for companies of all sizes), and pushes the remote access Trojan to the recipients with the open redirection holes of Cisco. The attacker disguised the spam as WebEx's conference video invitation email, and implanted warzone remote access Trojan (rat) in it.
According to Lei feng.com on November 9, researchers have found a new spam spreading activity, which disguises as a meeting invitation of WebEx (a subsidiary of Cisco, which creates required software solutions for companies of all sizes), and uses the redirection vulnerability opened by Cisco to push the remote access Trojan to the recipient.
By using the open redirect vulnerability, an attacker could redirect visitors to other sites they want by allowing legitimate sites to allow unauthorized users to create URLs on the site, the researchers said.
This allows attackers to use the URL address of well-known companies for malware or phishing activities, and increases the legitimacy of spam URL address and the chance for victims to click the URL address.
WebEx conference email jump to malicious site
The attacker disguised the spam as WebEx's conference video invitation email, and implanted warzone remote access Trojan (rat) in it.
In fact, the researchers believe that the spam originally did not differ from the formal WebEx conference invitation, and even had detailed installation steps disguised as real WebEx video software.
The difference is that it makes use of the vulnerability to realize site jump.
Legitimate invitation to download webex.exe client
When the user clicks the download conference program, the shortcut download button will jump to the automatic installation site of the remote access Trojan. Once installed, the client allows participants to view host screens, share their screens, share files, chat with other users, and so on.
Because WebEx is owned by Cisco, using this URL address is likely to make users mistakenly believe that webex.exe is a legitimate WebEx client, which is usually pushed to users when they join the conference.
The only problem is that this webex.exe is not a legitimate WebEx client, but a rat that allows attackers to fully access the victim's PC side.
Fake WebEx meeting email
Attack process
After installation, rat will copy itself to% appdata% \ services.exe and% userprofile% \ musnotificationux \ musnotificationux.vbs \ avitil32.exe, and then create an auto boot program to run malware at the same time of startup.
It will also create a shortcut in the startup folder to launch% userprofile% \ musnotificationux \ musnotificationux.vbs, which will execute the avitil32.exe file.
According to the previous samples uploaded to hybrid analysis, this program is warzone rat, and some VirusTotal definitions indicate that it may be avemaria Trojan.
Based on the commands found in the attack example, the rat has the following functions:
Download and execute software
Executive order
Remote use of webcam
Delete files
Enable remote desktop services for remote access
Enable VNC for remote access
Log keystroke
Steal Firefox and chrome passwords
Users under the above attacks need to be scanned immediately for infection on their computers, assuming that all login credentials for their access to the website are compromised, and their passwords should be changed immediately.
Reference link: bleepingcomputer
More interesting content, please pay attention to Lei Feng network security column or WeChat network's official account of WeChat public.