The ongoing Vidar malware campaigns continue to target Italian users every Monday morning, with the latest wave detected on January 20, 2025. This attack exploits compromised PEC accounts to send emails exclusively to PEC account holders, leveraging the trustworthiness of these communications to maximize success rates. Affected: PEC accounts
Keypoints :
- Vidar malware campaigns are conducted regularly, specifically targeting Italian users.
- The latest attack was detected on January 20, 2025, using compromised PEC accounts.
- Emails are sent exclusively to PEC account holders to increase trust and success rates.
- The attackers employ Domain Generation Algorithm (DGA) techniques and rotate numerous hosts.
- A total of 147 hosts were identified for distributing the payload as JavaScript files.
- The DGA-generated URLs and randomized paths remain inactive during the initial attack phase.
- Countermeasures have been implemented with the support of PEC Managers.
- IoCs related to the campaign have been disseminated via CERT-AGID’s IoC Feed.
- Users are advised to be cautious with PEC communications and report suspicious emails.
MITRE Techniques :
- Domain Generation Algorithm (T1483) – Used to generate multiple domains for payload distribution.
- Command and Control over Web Service (T1071) – Utilized for communication with compromised hosts.
Indicator of Compromise :
- [url] hxxp://malicious-domain1.com
- [url] hxxp://malicious-domain2.com
- Check the article for all found IoCs.
Full Research: https://cert-agid.gov.it/news/ancora-attacchi-ad-opera-di-vidar-cadenza-regolare-e-vecchie-strategie-sempre-efficaci/