![]() ![]() The Vidar strings extracted from these samples is provided in the Appendix section at the end of the blog.įigure 3: Padding of bytes to inflate the Vidar binary size from 3.3MB to 330MBĪll of the binaries below are related to the same Windows 11 theme campaign: Figure 3 shows that the rest of the file content is just artificially filled up with 0x10 bytes to increase the file’s size. However, the sample contains a PE file that is only around 3.3MB. The Vidar samples in these campaigns are all packed with Themida (except for the MD5 hash 6ae17cb76cdf097d4dc4fcccfb5abd8a) and over 330MB in size. By pivoting on this serial number, we were able to discover several other malicious binaries from multiple different campaigns and actors, which likely indicates that this is a stolen certificate coming from the AVAST compromise back in 2019. However, this certificate is expired and hence invalid.įigure 2 shows the details of the certificate and the corresponding serial number.įigure 2: Details of the certificate used to sign the malicious Vidar binaryĪll of the binaries in this campaign were signed by a certificate with the same serial number. The binary inside the ISO file is digitally signed with a certificate by AVAST. Example MD5 hashes for this campaign are shown below: The size of the ISO file is very large (more than 300 MB), which helps the attackers evade network security products where there is a file size limitation in place. The binary inside the ISO file is a PE32 binary. The complete list of domains linked to this threat actor that were used in this campaign are mentioned in the Indicators of Compromise (IOC) section. All of these domains were used to spread malicious ISO files spoofed as a Windows 11 download.įigure 1: Vidar attacker-controlled domain serving malicious ISO file ThreatLabz found several other domains registered by this threat actor similar to the one shown below in Figure 1. The threat actor registered several domains beginning 20th April 2022 that host web pages that masquerade as the official Microsoft Windows 11 download page, which is the latest version of the operating system. Using data obtained from this campaign, ThreatLabz was also able to identify another similar one using backdoored versions of Adobe Photoshop The actual C2s used by the malware samples are obtained from attacker-controlled social media channels hosted on Telegram and Mastodon network The spoofed domains were distributing malicious ISO files containing samples of the Vidar infostealer malware ThreatLabz discovered several newly registered domains spoofing the official Microsoft Windows 11 OS download portal In this blog, ThreatLabz analyzes the Vidar distribution vector, threat actor correlation, and technical analysis of the binaries involved in this campaign. These binaries hosted on GitHub, distribute Vidar malware using similar tactics of abusing social media channels for C2 communication. ThreatLabz believes that the same threat actor is actively leveraging social engineering to impersonate popular legitimate software applications to distribute Vidar malware, as we have also identified an attacker-controlled GitHub repository which hosts several backdoored versions of Adobe Photoshop. ![]() ![]() These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network. The spoofed sites were created to distribute malicious ISO files which lead to a Vidar infostealer infection on the endpoint. We discovered these domains by monitoring suspicious traffic in our Zscaler cloud. In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. ![]()
0 Comments
Leave a Reply. |