Threat Research

AutoIt Delivering Vidar Stealer Via Drive-by Downloads

Esentire

eSentire’s TRU detected a drive-by download campaign delivering Vidar Stealer via a fake KMSpico activator, using Java dependencies and a malicious AutoIt script to disable security tools and decrypt the payload. The operation employs a Telegram Dead Drop Resolver for C2 and highlights risks from malware-laden greyware downloads from unverified sources. #VidarStealer #KMSPico #AutoIt #Telegram #DriveByDownload

Keypoints

  • The attack used a fake KMSpico activator as the delivery vector, underscoring the danger of illegal software activators.
  • The malicious page (kmspico.ws) is behind Cloudflare Turnstile and requires human input to download the final ZIP, complicating automated detection.
  • The ZIP contains Java dependencies and Setuper_KMS-ACTIV.exe (MD5: 6b6d562c71b953f41b6915998f047a30).
  • Launching the executable starts javaw.exe and drops a malicious AutoIt script named “x” and Flour.pif (MD5: c7ece036a2284fba0f5d31055b44846f and MD5: b06e67f9767e5023892d9698703ad098).
  • The AutoIt script embeds the Vidar payload, which is decrypted by the shellcode using RC4 with a hardcoded key.
  • Vidar Stealer uses Telegram as a Dead Drop Resolver to store the C2 IP address, concealing the attacker’s command-and-control infrastructure.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by download via a fake KMSpico activator; “The kmspico[.]ws site is hosted behind Cloudflare Turnstile and requires human input (entering a code) to download the final Zip package.”
  • [T1059] Command and Scripting Interpreter – The dropper uses a malicious AutoIt script to load and execute payloads.
  • [T1562.001] Impair Defenses – javaw.exe starts to disable behavior monitoring in Windows Defender.
  • [T1140] Deobfuscate/Decode Files or Information – The shellcode decrypts the Vidar payload using the RC4 decryption algorithm with a hardcoded key.
  • [T1102.001] Dead Drop Resolver – Vidar Stealer uses Telegram to store the C2 IP address and conceal C2 infrastructure.

Indicators of Compromise

  • [Hash] 6b6d562c71b953f41b6915998f047a30 – Setuper_KMS-ACTIV.exe (MD5)
  • [Hash] c7ece036a2284fba0f5d31055b44846f – AutoIt script named ‘x’ (MD5)
  • [File name] Flour.pif – AutoIt script file used in the dropper (MD5: b06e67f9767e5023892d9698703ad098)
  • [Domain] kmspico.ws – Malicious activator distribution site behind Cloudflare Turnstile
  • [URL] https://github.com/esThreatIntelligence/iocs/blob/main/AutoIT/AutoIT_VidarStealer-5-19-2024.txt – IOCs resource with additional indicators

Read more: https://www.esentire.com/blog/autoit-delivering-vidar-stealer-via-drive-by-downloads