Vidar Active Again in Italy Through Compromised PEC Mailboxes: New Campaign with Updated URLs

Summary:

The Vidar malware has resurfaced in Italy, targeting email users through compromised PEC mailboxes. This new campaign mirrors previous tactics, utilizing VBS payloads and updated download URLs to evade detection. Vidar is known for stealing credentials and sensitive data, exploiting the trust associated with PEC communications. Countermeasures are in place, with IoCs shared among PEC providers. Users are advised to be vigilant with suspicious emails.

Keypoints:

  • Vidar malware targets Italian email users via compromised PEC mailboxes.
  • Utilizes VBS payloads instead of common JS files for distribution.
  • Updated download URLs aim to evade detection systems.
  • Known for stealing credentials and sensitive information.
  • Countermeasures implemented with support from PEC providers.
  • Users are advised to report suspicious emails to malware@cert-agid.gov.it.
  • MITRE Techniques

  • Credential Dumping (T1003): Extracts credentials from operating systems and applications for unauthorized access.
  • Phishing (T1566): Uses deceptive emails to trick users into revealing sensitive information.
  • Exploitation of Remote Services (T1210): Targets vulnerabilities in remote services to gain access to systems.
  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.

  • 11/11/2024

    A week after the previous wave of attacks, the Vidar malware has returned to menace Italian email users by exploiting, once again, compromised PEC mailboxes.

    Email used to deliver Vidar

    This new campaign replicates the methods already observed in the previous activity, which was notable for the use of a VBS payload instead of the more common JS files. The distribution techniques remain unchanged, with similar templates for the PEC messages and a persistent abuse of .top domains. However, the reference URLs for downloading the components have been updated, suggesting that the campaign’s authors intend to evade detection systems and prolong the effectiveness of its distribution.

    Vidar, known for its ability to steal access credentials and sensitive data, once again confirms its adaptability and danger, especially considering that the technique of delivery via compromised PEC mailboxes can more easily lead recipients to trust the messages received.

    Countermeasures

    Countermeasures have already been implemented with the support of PEC managers. The IoCs related to the campaign have been disseminated through the IoC Feed of CERT-AGID to the PEC managers and accredited structures.

    It is recommended to always pay close attention to communications received via PEC, particularly when they contain links deemed suspicious. When in doubt, it is always possible to forward suspicious emails to the email address malware@cert-agid.gov.it

    Indicators of Compromise

    In order to make the details of today’s campaign public, the detected IoCs are listed below:

    Link: Download IoC

    Source: Original Post