Hackers are tricking customers with faux Home windows 11 installers loaded with Vidar information stealer spreading by way of newly registered phishing domains.
The cybersecurity analysts at Zscale safety agency have detected that the malicious ISO information had been included on the spoofed web sites to allow the downloading and set up of the Vidar info-stealer malware on the goal computer systems.
Throat-controlling social media channels, reminiscent of Telegram and Mastodon, are used to deploy the C2 configuration of Vidar malware.
Newly registered phishing domains
On 20 April, among the faux domains have been registered and right here they’re talked about under:-
- ms-win11[.]com
- win11-serv[.]com
- win11install[.]com
- ms-teams-app[.]internet
Along with assaults towards YouTubers, Vidar malware has been used beforehand by the menace actors to swindle VPN customers earlier than.
Vidar malware
Vidar malware is an notorious information stealer that may steal info from customers and spy on what they do. Whereas malware reminiscent of Vidar is primarily designed for the aim of stealing delicate info from its victims.
Fallout exploit kits are often the supply of distribution of Vidar. Right here under we have now talked about the forms of knowledge stolen by Vidar:-
- OS info
- On-line accounts credentials
- Browser historical past
- Monetary information
- Banking knowledge
- Cryptocurrency pockets login credentials
Distribution of Vidar information stealer
Other than faux Home windows 11 installers, the menace actors behind Vidar additionally spreading this malware by way of malicious variants of official software program like:-
- Adobe Photoshop
- Microsoft Groups
To be able to keep away from detection by safety options, the ISO that accommodates the executable is unusually massive in measurement (over 300MB).Â
Right here, Avast’s expired certificates is utilized by the hackers to signal the file, and it’s possible that the certificates was stolen following the corporate’s October 2019 safety breach.
To steal important and delicate knowledge from the compromised methods, Vidar establishes a connection to a C2 server, after which it requests official DLL information from the C2 server.
Right here under we have now talked about the DLL information which might be requested:-
- sqlite3.dll
- vcruntime140.dll
Along with this abuse, the menace actor has additionally abused Mastodon and Telegram to retailer the C2 IP handle within the description fields of susceptible communities and accounts.
Suggestion
Right here under we have now talked about just a few suggestions provided by the safety specialists:-
- Don’t obtain any file or installer file from unknown sources.
- All the time be cautious earlier than downloading any unknown attachments.
- Avoiding utilizing crack
- All the time use a sturdy Antivirus instrument.
- Don’t obtain any crack for the paid model.
You’ll be able to comply with us on Linkedin, Twitter, Fb for every day Cybersecurity and hacking information updates.
