Hackers trick users with fake Windows 11 downloads to distribute Vidar malware
Fraudulent domains posing as Microsoft’s Windows 11 download portal attempt to trick users into deploying installation files containing Trojans to infect systems with Vidar information-stealing malware.
“The spoofed sites were created to distribute malicious ISO files that lead to Vidar information stealer infection on the device,” Zscaler said in a report. “These Vidar malware variants harvest C2 configuration from attacker-controlled social media channels hosted on the Telegram and Mastodon networks.”
Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11[.]com, win11-serv[.]com and win11install[.]com and ms-teams-app[.]report.
Furthermore, the cybersecurity firm has warned that the threat actor behind the impersonation campaign is also exploiting stolen versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to spread Vidar malware.
The ISO file, on the other hand, contains an unusually large executable (over 300MB) in an attempt to evade detection by security solutions and is signed with an expired certificate from Avast which has likely been stolen following the breach of the latter in October 2019.
But embedded in the 330MB binary is a 3.3MB executable which is the Vidar malware, with the rest of the file contents filled with 0x10 bytes to artificially inflate the size.
In the next phase of the attack chain, Vidar establishes connections to a remote command and control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll in order to siphon off valuable data from compromised systems.
Also noteworthy is the threat actor’s abuse of Mastodon and Telegram to store the C2 IP address in the description field of accounts and communities controlled by the attacker.
The findings add to a growing list of different methods that have been discovered over the past month to distribute Vidar malware, including Microsoft Compiled HTML Help (CHM) files and a loader called Colibri.
“Threat actors distributing Vidar malware have demonstrated the ability to trick victims into installing the Vidar thief using themes related to the latest popular software applications,” the researchers said.
“As always, users should be careful when downloading software applications from the Internet and only download software from official vendor websites.”