Vidar malware spreads through fake Windows 11 and Adobe websites
The Zscaler ThreatLabZ team discovered new mechanisms for the dissemination of the infostealer Vidar, which rely on prominent brand names for their social engineering. The security analysts became aware of the current malware campaigns through newly registered domain names that copy the official download portal for Microsoft Windows 11. The fake domains are used to distribute ISO files that contain the Vidar malware and infect end devices via them. After the initial infection of the terminal, files for the Command & Control communication of the attackers are reloaded via profiles created for this purpose on the social media channels Telegram or Mastodon. In addition, a GitHub repository controlled by the attackers was identified, which contains several fake versions of Adobe Photoshop. These binaries hosted on GitHub spread Vidar malware via a similar tactic.
Distributed by Telegram and Mastodon
All binaries involved in this campaign obtain the IP addresses of the C2 servers from the social media accounts registered by the malware actors on the Telegram and Mastodon networks. The abuse of Telegram is a new tactic that the attackers have added to their arsenal. In turn, the Mastodon network is a decentralized social network that allows everyone to set up their own instance of a self-hosted online community. There are several instances of such online communities on the Internet, built using Mastodon.
The threat actors behind the Vidar infostealer have proven that they get their victims to install the malware through social engineering. Users should exercise caution when downloading software applications from the Internet, if they are not the official websites of manufacturers. The Zscaler ThreatLabZ team publishes the indicators of Compromise and the detailed technical analysis of the campaigns in the current blog.