Keypoints
- Vidar is actively targeting Italian users by abusing compromised PEC (certified email) mailboxes to distribute malicious content.
- The campaign deploys VBS payloads rather than the more commonly observed JS files, changing the delivery artifact to avoid detection.
- Attackers continue to use similar PEC message templates and heavily rely on .top domains, while updating download URLs to bypass defenses.
- Vidar is capable of stealing access credentials and other sensitive information from infected systems.
- PEC managers and CERT-AGID have implemented countermeasures and distributed IoCs to accredited structures via an IoC feed.
- Users are advised to be cautious with PEC links and to forward suspicious messages to [email protected] for analysis.
MITRE Techniques
- [T1003] Credential Dumping – Extracts credentials from operating systems and applications to enable unauthorized access. [‘steal access credentials and sensitive data’]
- [T1566] Phishing – Delivers deceptive messages to trick recipients into executing malicious payloads or revealing information. [‘templates for the PEC messages’]
- [T1210] Exploitation of Remote Services – Targets vulnerabilities in remote services to gain initial access or escalate privileges. [‘Targets vulnerabilities in remote services to gain access to systems.’]
- [T1071] Command and Control – Uses multiple command-and-control domains to maintain communication with compromised hosts. [‘multiple command and control domains to maintain communication with compromised systems.’]
Indicators of Compromise
- [Domain] Abuse of .top domains in distribution – example: various .top domains used as download hosts and redirectors.
- [URL] Campaign and IoC list – https://cert-agid.gov.it/wp-content/uploads/2024/11/vidar_11-11-2024.json (IoC feed download containing URLs and indicators).
- [File type / Payload] Malicious scripts and attachments – VBS payloads used in place of JS files to deliver Vidar components and execute the downloader.
11/11/2024
A week after the previous wave of incidents, the Vidar information-stealing malware has resurfaced in Italy by exploiting compromised PEC (certified email) mailboxes. The new campaign follows the same distribution patterns observed earlier, but with some notable changes: attackers are sending messages using familiar PEC templates while switching from JS to VBS payloads and updating the download URLs referenced in the emails. This shift appears intended to sidestep detection mechanisms and keep the campaign effective for longer.
The operation continues to lean heavily on .top domains as part of its infrastructure. Because the messages originate from compromised PEC accounts—which are typically treated as trustworthy by recipients—this delivery method increases the likelihood that targets will open links or attachments and execute the malicious payloads. Once deployed, Vidar is designed to harvest access credentials and other sensitive information from infected machines, reinforcing its reputation as a flexible and dangerous data-stealer.
Countermeasures
PEC managers, working with CERT-AGID, have already taken steps to mitigate the campaign. Indicators associated with this activity have been shared via CERT-AGID’s IoC feed to PEC providers and accredited entities to aid detection and blocking efforts. Users and administrators are encouraged to exercise caution with PEC communications that include links or attachments that look unusual, and to forward suspicious messages to [email protected] for analysis and reporting.
Indicators of Compromise
For transparency and to assist defenders, the IoCs identified during this incident have been published. A downloadable JSON containing the indicators is available from CERT-AGID and includes URLs, domains, and related artifacts used in the campaign.