A new Vidar campaign has been identified, characterized by advanced obfuscation techniques and the use of Domain Generation Algorithm (DGA) for dynamic malicious address generation. The malware deployed a JavaScript payload that remained inactive initially to evade detection. Unique features include a refined obfuscation method using XOR operations, complicating static analysis and detection by security tools. Ongoing countermeasures have been put in place, with IoCs shared among accredited entities. Affected: cybersecurity, email communication, digital infrastructure
Keypoints :
- New Vidar campaign detected on February 2, 2025, around midnight.
- Utilizes advanced obfuscation techniques and dynamic address generation via DGA.
- Malicious URLs remained inactive initially, activating the next morning to evade preventive controls.
- Refined obfuscation method involves breaking down input strings into integers and decoding them with XOR operations.
- Payload variations lead to the release of different malware families post-infection.
- Countermeasures are being implemented with the support of PEC Managers and IoCs are communicated through CERT-AGID.
- Precautions recommended for PEC communications, especially with suspicious links.
- Suspected emails can be forwarded to malware@cert-agid.gov.it for further analysis.
MITRE Techniques :
- T1486: Data Encrypted for Impact – Vidar’s payload conducts further malware releases post-infection.
- T1069: Permission Granting – Utilizes obfuscation techniques to bypass security monitoring tools.
- T1071: Application Layer Protocol – Employs DGA for dynamic address resolution.
- T1027: Obfuscated Files or Information – Uses JavaScript payload with advanced obfuscation methods, including XOR encryption.
Indicator of Compromise :
- [URL] http://malicious.com/path
- [URL] https://example.com
- [Email Address] malware@cert-agid.gov.it