Fraudulent domains posing as Microsoft’s Windows 11 download portal are trying to trick users into deploying installation files infected with trojans to infect systems with Vidar information-stealing malware.
“Spoofing websites created to distribute malicious ISO files lead to the infection of Vidar credential stealing software on terminals,” Zscaler said in a report. “Variants of this Vidar malware derive C2 profiles from attacker-controlled social media channels hosted on Telegram and Mastodon networks.”
Several rogue distribution vector domains, registered last month on April 20, including ms-win11[.]com, win11-serv[.]com and win11install[.]com and ms-team-app[.]net.
In addition, the cybersecurity company also warned that the threat actor behind the impersonation campaign is also taking advantage of censored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to distribute malware. Vidar malware.
For its part, the ISO file contains an unusually large executable (more than 300MB) that attempts to evade detection by security solutions and is signed with an expired certificate from Avast that could potentially be stolen after breach in October 2019.
But embedded in the 330MB binary is the 3.3MB executable, which is the Vidar malware, with the rest of the file contents padded with 0x10 bytes to artificially increase the size.
In the next stage of the attack chain, Vidar establishes connections to the remote control and control (C2) server to retrieve legitimate DLLs such as sqlite3.dll and vcruntime140.dll to get the data available. value from compromised systems.
Also notable is the threater’s abuse of Mastodon and Telegram to store the C2 IP address in the description field of accounts and communities controlled by the attacker.
The findings add to the growing list of different methods discovered over the past month for distributing Vidar malware, including Microsoft compiled HTML Help (CHM) files and a browser. download named Colibri.
Threats to deliver Vidar malware have demonstrated their ability to get social engineer victims to install Vidar stealing software using topics related to the apps, the researchers said. using the latest popular software,” the researchers said.
“As always, users should exercise caution when downloading software applications from the Internet and only download software from official vendor websites.”
