Clever WebEx Spam Use Cisco Redirect to Deliver RAT Malware

Posted by & filed under Ειδοποιήσεις.

A clever spam campaign is underway that pretends to be a WebEx meeting invite and uses a Cisco open redirect that pushes a Remote Access Trojan to the recipient.  Using open redirects add legitimacy to spam URLs and increases the chances that victims will click on an URL.

An open redirect is when a legitimate site allows unauthorized users to create URLs on that site to redirect visitors to other sites that they wish. This allows an attacker to utilize the URL of a well-known and respected company to deliver malware or phishing campaigns.

For example, Google has an open redirect at the URL //[url] that can be used by anyone, including attackers, to redirect a visitor through Google’s site to another site.

You can see an example of Google’s open redirect with the following URL that ultimately redirects you to //

By using these types of URLs, attackers can more easily trick victims into clicking on them.

WebEx malspam uses Cisco open redirect

A clever spam campaign discovered by Alex Lanstein using a  fake WebEx meeting invite is underway that is being used to spread the WarZone Remote Access Trojan (RAT).

This malspam campaign pretends to be a WebEx meeting invite that looks almost identical to the real emails sent to participants when a WebEx meeting is created.

Fake WebEx Meeting Email


If you are the recipient of WebEx meetings, or invites from other online meeting platforms, you are also familiar with how the join buttons in these invites typically prompt you to download a client. This client allows participants to see the hosts screen, share their screen, share files, chat with other users, etc.

For example, the image below is an example of what happens when you click on the “Start meeting” button in a legitimate WebEx meeting invite. Notice how you are brought to a site and automatically prompted to download the WebEx client named webex.exe.

Legitimate invite downloading the webex.exe client


The fake invite spam found by Lanstein is no different, as if you click on the “Join meeting” button, you will be connected to an url from the site //, which will redirect you to another sites that automatically downloads a webex.exe executable.

As WebEx is owned by Cisco, the use of this URL could easily trick a user into thinking that the webex.exe is the legitimate WebEx client that is commonly pushed on users when they join a meeting.

The only problem is that this webex.exe is not the legitimate WebEx client, but rather a RAT that gives the attacker full access to a victim’s PC.

When installed, the RAT will copy itself to %AppData%\services.exe and to %UserProfile%\MusNotificationUx\MusNotificationUx.vbs\avifil32.exe and then create an autostart to launch the malware on startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Google App Update" = "C:\Users\[login]\AppData\Roaming\services.exe"

It will also create a shortcut in the Startup folder that launches the %UserProfile%\MusNotificationUx\MusNotificationUx.vbs, which executes avifil32.exe file.

VBS File

Based on previous samples uploaded to Hybrid Analysis, this program is the WarZone RAT, while some VirusTotal definitions indicate that it may be AveMaria Trojan.

Regardless of what the program is called, based on the commands found by BleepingComputer in the sample, this RAT includes the ability to:

  • Download and execute software
  • Execute commands
  • Remotely use webcams
  • Delete files
  • Enable Remote Desktop Services for remote access
  • Enable VNC for remote access
  • Log keystrokes
  • Steal Firefox and Chrome passwords

Anyone who has encountered this spam campaign and executed the webex.exe should immediately scan their computer for infections. Victims should also assume that any login credentials for sites they visit are compromised and the passwords should be changed immediately.

This spam campaign also illustrates that following the advice of checking an email URL before clicking may not always be enough. The use of open redirects from legitimate companies are convincing methods of making a URL in a phishing campaign look legitimate and thus more likely to be clicked.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.