The Vidar malware evolves with new domain diversification strategies.

Summary:

The Vidar malware has resurfaced, targeting Italian email accounts through compromised PEC mailboxes. This new wave of attacks employs VBS files to execute PS1 scripts and utilizes over 100 distinct domains with nearly a thousand randomly generated subdomains for downloading the malware. The attackers have strategically activated these links on November 18, suggesting a planned approach to maximize impact at the start of the workweek.

Keypoints:

Vidar malware targets Italian email accounts via compromised PEC mailboxes.

New attack wave uses VBS files to execute PS1 scripts.

Over 100 distinct domains and nearly 1,000 subdomains are utilized for malware downloads.

URLs for downloading were inactive during the initial attack phase, activating on November 18.

Attacks are strategically planned for Sundays to catch victims at the start of the workweek.

Vidar is known for stealing sensitive information and credentials.

Countermeasures have been implemented with support from PEC managers.

IoCs related to the campaign have been shared through CERT-AGID’s IoC Feed.

Recipients are advised to be cautious with PEC communications, especially suspicious links.

Suspicious emails can be forwarded to malware@cert-agid.gov.it for verification.

MITRE Techniques

Execution (T1203): Exploits vulnerabilities in software to execute malicious scripts.

Credential Dumping (T1003): Steals credentials from compromised systems.

Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.

IoC:

[domain] example1[.].com

[domain] example2[.].com

[url] http://malicious-link1[.].com

[url] http://malicious-link2[.].com

[email] malware@cert-agid.gov.it

Full Research: https://cert-agid.gov.it/news/il-malware-vidar-evolve-con-nuove-strategie-di-diversificazione-dei-domini/

Tags: EMAIL, CREDENTIAL, IMPACT