Home>Blog>The Hacker News Headlines>Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware
The Hacker News Headlines

Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware

Adobe Photoshop

Fraudulent domains masquerading as Microsoft’s Windows 11
download portal are attempting to trick users into deploying
trojanized installation files to infect systems with the Vidar
information stealer malware.

“The spoofed sites were created to distribute malicious ISO
files which lead to a Vidar info-stealer infection on the
endpoint,” Zscaler said[1]
in a report. “These variants of Vidar malware fetch the C2
configuration from attacker-controlled social media channels hosted
on Telegram and Mastodon network.”

Some of the rogue distribution vector domains, which were
registered last month on April 20, consist of ms-win11[.]com,
win11-serv[.]com, and win11install[.]com, and
ms-teams-app[.]net.

In addition, the cybersecurity firm cautioned that the threat
actor behind the impersonation campaign is also leveraging
backdoored versions of Adobe Photoshop and other legitimate
software such as Microsoft Teams to deliver Vidar malware.

The ISO file, for its part, contains an executable that’s
unusually large in size[2]
(over 300MB) in an attempt to evade detection by security solutions
and is signed with an expired certificate from Avast that was
likely stolen following the latter’s breach[3]
in October 2019.

But embedded within the 330MB binary is a 3.3MB-sized executable
that’s the Vidar malware, with the rest of the file content padded
with 0x10 bytes to artificially inflate the size.

In the next phase of the attack chain, Vidar establishes
connections to a remote command-and-control (C2) server to retrieve
legitimate DLL files such as sqlite3.dll and vcruntime140.dll to
siphon valuable data from compromised systems.

CyberSecurity

Also notable is the abuse of Mastodon and Telegram by the threat
actor to store the C2 IP address in the description field of the
attacker-controlled accounts and communities.

The findings add to a list of different methods that have been
uncovered in the past month to distribute the Vidar malware,
including[4]
Microsoft Compiled HTML Help (CHM) files and a loader called
Colibri.

“The threat actors distributing Vidar malware have demonstrated
their ability to social engineer victims into installing Vidar
stealer using themes related to the latest popular software
applications,” the researchers said.

“As always, users should be cautious when downloading software
applications from the Internet and download software only from the
official vendor websites.”

References

  1. ^
    said
    (www.zscaler.com)
  2. ^
    unusually large in size
    (thehackernews.com)
  3. ^
    latter’s
    breach     (blog.avast.com)
  4. ^
    including
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.