CERT-AGID warns of a malspam campaign targeting PEC mailboxes that began with the Italian domain Excite and now uses an active domain to deliver a JavaScript dropper that installs the Vidar malware. This marks the fourth Vidar-related wave CERT-AGID has observed in 2024. #Vidar #PEC #CERT-AGID #Excite
Keypoints
- CERT-AGID issued a warning about a malspam campaign exploiting PEC mailboxes.
- The initial campaign used the Italian domain Excite but did not deliver malicious payloads.
- Later iterations adopted an active domain that releases a JavaScript file leading to Vidar malware installation.
- This represents the fourth Vidar-related wave observed in 2024 (fifth if the yesterday’s erroneous one is counted).
- Malware authors target PEC mailboxes for their legal value and perception of trustworthiness.
- Countermeasures have been implemented with support from PEC providers, and IoCs have been disseminated via CERT-AgID.
- Users are advised to scrutinize PEC communications and report suspicious messages to [email protected].
MITRE Techniques
- [T1003] Credential Dumping – Using compromised PEC accounts to access sensitive data. (‘Using compromised PEC accounts to access sensitive data.’)
- [T1566] Phishing – Sending fraudulent communications through compromised PEC accounts. (‘Sending fraudulent communications through compromised PEC accounts.’)
- [T1203] Malicious File – Delivery of JavaScript files leading to malware installation. (‘Delivery of JavaScript files leading to malware installation.’)
Indicators of Compromise
- [URL] IoCs feed – Vidar_17-09-2024.json, provided as the download for IoCs. This file disseminates IoCs related to the campaign. (‘Link: Download IoC’)
- [Domain] Excite – Italian domain used in the initial wave of the malspam campaign (‘the link used to the Italian domain Excite did not support any malicious payload.’)
- [URL] Original source page – https://cert-agid.gov.it/news/vidar-compare-ancora-in-una-nuova-campagna-malspam-che-sfrutta-le-caselle-pec/ (source reporting the campaign).