A new malspam campaign targeting Vidar malware uses PEC emails to lure recipients into downloading a malicious JavaScript. A Python script decrypts the JavaScript to reach the final payload. hashtags: #Vidar #PEC #CERT-AgID #IoCFeed
Keypoints
- New malspam campaign spreading Vidar malware via PEC emails.
- Emails include links to download malicious JavaScript files.
- A Python script decodes the JavaScript to reveal the final payload.
- PEC Managers have blocked the involved email addresses as a countermeasure.
- Indicators of Compromise are disseminated through CERT-AgID IoC Feed to PEC Managers.
- The campaign uses multiple subdomains of the same domain to host payloads and a chain of URLs to fetch the final executable.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – “The PECs sent use different subdomains of the same domain. Thanks to collaboration with PEC Managers… a link that allows the download of a malicious JavaScript file, only after verifying on the backend that the request comes from a Windows client.”
- [T1059.007] JavaScript – “Malicious JavaScript files are used to download and execute the Vidar malware.”
- [T1140] Deobfuscate/Decode Files or Information – “To speed up the decoding process, we have prepared a Python script that resolves the JavaScript, by inserting the two hexadecimal code lines …”
- [T1105] Ingress Tool Transfer – “From the new URL, an additional JavaScript containing the final payload is provided, which in turn refers to a new URL…”
- [T1047] Windows Management Instrumentation – “Create: winmgmts:rootcimv2:Win32_Process”
- [T1059.001] PowerShell – “less powershel”
Indicators of Compromise
- [URL] IoCs – https://cert-agid.gov.it/wp-content/uploads/2024/08/vidar_21-08-2024.json, and https://cert-agid.gov.it/scarica-il-modulo-accreditamento-feed-ioc/
Read more: https://cert-agid.gov.it/news/contrastata-nuova-campagna-vidar-diffusa-via-pec/