A clever spam campaign is underway that pretends to be a WebEx meeting invite and uses a Cisco open redirect that pushes a Remote Access Trojan to the recipient. Using open redirects add legitimacy to spam URLs and increases the chances that victims will click on an URL.
An open redirect is when a legitimate site allows unauthorized users to create URLs on that site to redirect visitors to other sites that they wish. This allows an attacker to utilize the URL of a well-known and respected company to deliver malware or phishing campaigns.
For example, Google has an open redirect at the URL https://www.google.com/url?q=[url] that can be used by anyone, including attackers, to redirect a visitor through Google’s site to another site.
You can see an example of Google’s open redirect with the following URL that ultimately redirects you to example.com: https://www.google.com/url?q=https://www.example.com.
By using these types of URLs, attackers can more easily trick victims into clicking on them.
WebEx malspam uses Cisco open redirect
A clever spam campaign discovered by Alex Lanstein using a fake WebEx meeting invite is underway that is being used to spread the WarZone Remote Access Trojan (RAT).
This malspam campaign pretends to be a WebEx meeting invite that looks almost identical to the real emails sent to participants when a WebEx meeting is created.
If you are the recipient of WebEx meetings, or invites from other online meeting platforms, you are also familiar with how the join buttons in these invites typically prompt you to download a client. This client allows participants to see the hosts screen, share their screen, share files, chat with other users, etc.
For example, the image below is an example of what happens when you click on the “Start meeting” button in a legitimate WebEx meeting invite. Notice how you are brought to a site and automatically prompted to download the WebEx client named webex.exe.
The fake invite spam found by Lanstein is no different, as if you click on the “Join meeting” button, you will be connected to an url from the site http://secure-web.cisco.com/, which will redirect you to another sites that automatically downloads a webex.exe executable.
As WebEx is owned by Cisco, the use of this URL could easily trick a user into thinking that the webex.exe is the legitimate WebEx client that is commonly pushed on users when they join a meeting.
The only problem is that this webex.exe is not the legitimate WebEx client, but rather a RAT that gives the attacker full access to a victim’s PC.
When installed, the RAT will copy itself to %AppData%services.exe and to %UserProfile%MusNotificationUxMusNotificationUx.vbsavifil32.exe and then create an autostart to launch the malware on startup.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "Google App Update" = "C:Users[login]AppDataRoamingservices.exe"
It will also create a shortcut in the Startup folder that launches the %UserProfile%MusNotificationUxMusNotificationUx.vbs, which executes avifil32.exe file.
Based on previous samples uploaded to Hybrid Analysis, this program is the WarZone RAT, while some VirusTotal definitions indicate that it may be AveMaria Trojan.
Regardless of what the program is called, based on the commands found by BleepingComputer in the sample, this RAT includes the ability to:
- Download and execute software
- Execute commands
- Remotely use webcams
- Delete files
- Enable Remote Desktop Services for remote access
- Enable VNC for remote access
- Log keystrokes
- Steal Firefox and Chrome passwords
Anyone who has encountered this spam campaign and executed the webex.exe should immediately scan their computer for infections. Victims should also assume that any login credentials for sites they visit are compromised and the passwords should be changed immediately.
This spam campaign also illustrates that following the advice of checking an email URL before clicking may not always be enough. The use of open redirects from legitimate companies are convincing methods of making a URL in a phishing campaign look legitimate and thus more likely to be clicked.