Summary :
On December 17, 2024, the Vidar malware launched a new campaign targeting Italian users through compromised PEC mailboxes. The attack utilized formal emails simulating payment reminders, leading victims to download a malicious JavaScript file named Fattura.js. The campaign adapted its timing and methods to increase effectiveness, highlighting the attackers’ flexibility in their strategies. #VidarMalware #CyberSecurity #MaliciousEmails
Keypoints :
- Vidar malware targeted Italian users with a new campaign on December 17, 2024.
- The attack used formal emails to simulate payment reminders, containing a link to a malicious JavaScript file.
- 133 domains were identified and blocked during the campaign.
- The timing of the attack was altered to target users during working hours.
- Mitigation efforts involved collaboration with PEC managers and the distribution of IoC through CERT-AGID.
MITRE Techniques :
- Phishing (T1566): Sending deceptive emails to trick users into downloading malicious files.
- User Execution (T1203): Malicious JavaScript file execution upon user interaction.
- Credential Dumping (T1003): Potentially stealing sensitive information from compromised systems.
Indicator of Compromise :
- [url] fattura.js
- [others ioc] 133 domains used for malware distribution
12/17/2024
In the early hours of December 17, 2024, Vidar returned to strike with a new malware campaign aimed at Italian users, once again exploiting compromised PEC mailboxes. Unlike previous waves, which had been launched overnight between Sunday and Monday, this campaign was distributed on Tuesday morning, likely aiming to reach victims at a different time of the week.
The vector used remains the same: a formally written email, using convincing and intimidating language, which simulates a payment reminder related to an alleged breached contract. In the body of the message, a link invites the recipient to download an “invoice” which, in reality, is a malicious JavaScript file named Fattura.js. Once opened, this file triggers the infection of the system, allowing the malware to steal sensitive information.
Random and Timed Domains
The campaign was detected at 12:30 AM, and mitigation efforts, in collaboration with PEC managers, began just a few minutes later at 12:35 AM. During the monitoring, 133 second-level domains used for distributing the malware were identified and blocked. As observed in the previous campaign, the URLs, which used randomized paths to complicate preemptive identification, remained inactive in the initial phases of the attack before activating in the hours that followed.
Change in Strategy or Setback?
The repetition of these campaigns highlights the adaptability of the actors behind Vidar, always ready to modify not just the technical details, such as URLs and distribution methods, but also the timing of the attacks. The choice to launch this campaign in the early hours of a Tuesday morning, rather than in the usual window between Sunday and Monday, may reflect various factors. It could simply be a logistical issue that occurred over the weekend and delayed the malware’s activation. Alternatively, it could be a deliberate strategy aimed at hitting users during peak operational times, when they are already focused on work activities and less likely to suspect early morning emails. Whatever the reason, this change underscores the criminals’ attention to varying approaches and timing to maximize the effectiveness of their campaigns.
Countermeasures
Countermeasures have already been implemented with the support of PEC managers. The IoCs related to the campaign have been disseminated via the IoC Feed of CERT-AGID to PEC managers and accredited structures.
It is recommended to always exercise maximum caution with communications received via PEC, particularly when they contain links deemed suspicious. In doubt, it is always possible to forward suspected emails to the email address malware@cert-agid.gov.it
Indicators of Compromise
To publicly disclose the details of today’s campaign, the following IoCs are reported:
Link: Download IoCs
Full Research: https://cert-agid.gov.it/news/vidar-via-pec-dal-weekend-al-martedi-cambio-di-strategia/