Keypoints
- CERT-AGID detected a malspam campaign distributing Vidar through compromised PEC messages.
- Phishing emails impersonate Italian companies and reference unpaid invoices to trick recipients.
- The email contains an “Invoice” link that initiates the download of a malicious VBS file.
- The VBS contains a long base64 string that is decoded to extract and execute a PowerShell script.
- The PowerShell payload connects to a known .top domain and sends the parameter “mints13” for subsequent communications.
- IoCs were published via CERT-AGID’s IoC Feed and shared with PEC Managers and accredited structures for mitigation.
- Users are advised to treat PEC links with caution and forward suspicious messages to [email protected].
MITRE Techniques
- [T1059] Execution – Executes scripts or commands to carry out malicious activities: ‘the downloaded VBS file contains a long base64-encoded string from which it extracts and executes a PowerShell script.’
- [T1071] Command and Control – Uses web protocols/domains for C2: ‘the executed script establishes a connection to the known domain .top, to which the recognizable parameter mints13 is sent.’
- [T1003] Credential Access – Potential credential harvesting during compromise: ‘may involve stealing credentials during the compromise process.’
- [T1041] Exfiltration – Sends data to external locations over established connections: ‘potentially exfiltrates data to external locations through established connections.’
Indicators of Compromise
- [Domain] C2/hosting domain used by payload – .top (known malicious domain used by the PowerShell script)
- [File] IoC bundle / report – vidar_04-11-2024.json (IoC download listing campaign artifacts)
- [File type] Downloader artifact – malicious VBS file that decodes a base64 PowerShell payload (downloaded via “Invoice” link)
The technical chain begins with a PEC-delivered phishing message containing a link labeled “Invoice” that downloads a VBS script. That VBS file embeds a long base64-encoded payload which it decodes and executes, launching a PowerShell script on the host.
The PowerShell component performs network communication to a .top domain and includes the parameter “mints13” when contacting remote repositories, enabling further payload retrieval and command-and-control traffic. CERT-AGID consolidated related IoCs into a downloadable JSON and distributed them via its IoC Feed to PEC Managers and accredited entities for containment and blocking.
Mitigation steps emphasized by CERT-AGID include blocking the identified domains and indicators in network and email defenses, scanning for the VBS/PowerShell artifacts on endpoints, and reporting suspicious PEC messages to [email protected] for analysis.
Read more: https://cert-agid.gov.it/news/vidar-torna-a-colpire-in-italia-attraverso-pec-compromesse/