Fraudulent domains masquerading as Microsoft’s Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
“The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint,” Zscaler said in a report. “These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network. “
Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11[.]com, win11-serv[.]com, and win11install[.]com, and ms-teams-app[.]net.
The cybersecurity company also warned that the attacker behind the impersonation campaign may be using backdoored Adobe Photoshop versions and legitimate software like Microsoft Teams in order to distribute Vidar malware.
The ISO file, for its part, contains an executable that’s unusually large in size (over 300MB) in an attempt to evade detection by security solutions and is signed with an expired certificate from Avast that was likely stolen following the latter’s breach in October 2019.
But embedded within the 330MB binary is a 3. 3MB-sized executable that’s the Vidar malware, with the rest of the file content padded with 0x10 bytes to artificially inflate the size.
In the next phase of the attack chain, Vidar establishes connections to a remote command-and-control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll to siphon valuable data from compromised systems.
Also notable is the abuse of Mastodon and Telegram by the threat actor to store the C2 IP address in the description field of the attacker-controlled accounts and communities.
The findings add to a list of different methods that have been uncovered in the past month to distribute the Vidar malware, including Microsoft Compiled HTML Help (CHM) files and a loader called Colibri.
” The threat actors who distribute Vidar malware are able to social engineer victims to install Vidar thefter by using themes that relate to popular software programs,” researchers stated.
“As always, users should be cautious when downloading software applications from the Internet and download software only from the official vendor websites. “
