Hyrax

A fake, yet convincing, VPN sign-in dialog is displayed to the user to capture the credentials. Once the information is entered by the victim, they are displayed an error message and are instructed to download the legitimate VPN client this time.

The trojans were digitally signed by a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”... The digital signatures on these malicious files allowed them to bypass standard Windows security warnings and certain application allowlisting policies.

Microsoft has disclosed details of a credential theft campaign that employs fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques.

The attack delivers its payload through a Windows Installer (MSI) package hidden inside a ZIP file. When a victim runs the fake MSI — disguised as a Pulse Secure installer — it drops Pulse.exe alongside two malicious DLL files...

"...ZIP file containing... MSI... that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation."; "...drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory."

To maintain persistence, the malware adds Pulse.exe to the Windows RunOnce registry key, making it run automatically on every device restart.

To maintain persistence, the malware adds Pulse.exe to the Windows RunOnce registry key, making it run automatically on every device restart.

Users who click these results land on pages built to look identical to real VPN vendor portals, complete with matching logos and download buttons.

"...ZIP file containing... MSI... that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation."; "...drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory."

The dwmapi.dll file works as an in-memory loader, executing shellcode that loads inspector.dll — a variant of the Hyrax infostealer.

"The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked... This abuse of code signing... bypasses default Windows security warnings... might bypass application whitelisting..."

"The fake VPN client presents a graphical user interface... prompting the user to enter their credentials... the application captures the credentials entered and exfiltrates them..."

Hyrax captures VPN credentials entered through the fake login screen and reads stored configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat

A fake, yet convincing, VPN sign-in dialog is displayed to the user to capture the credentials.

"The fake VPN client presents a graphical user interface... prompting the user to enter their credentials... the application captures the credentials entered and exfiltrates them..."

the GitHub repository hosts a ZIP file containing an MSI installer file that masquerades as legitimate VPN software

"...exfiltrating them to attacker-controlled command-and-control (C2) infrastructure... (194.76.226[.]93:8080)."; "Data exfiltration: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure."

Hyrax captures VPN credentials... sending everything to 194.76.226[.]93:8080.