ThreatLabz uncovered a campaign distributing Vidar infostealer via backdoored Windows 11 ISO downloads that spoof the official Windows 11 portal. The malware retrieves its C2 configuration from attacker-controlled social media channels on Telegram and Mastodon, and threat actors also host backdoored Adobe Photoshop on GitHub to spread Vidar. #Vidar #ThreatLabz #Telegram #Mastodon #AdobePhotoshop #AVAST #Themida #Windows11 #GitHub
Keypoints
- ThreatLabz discovered newly registered domains spoofing the official Windows 11 download portal.
- The spoofed domains distribute malicious ISO files containing Vidar infostealer samples.
- The malware’s C2 configuration is fetched from attacker-controlled social media channels on Telegram and Mastodon.
- A related campaign uses backdoored versions of Adobe Photoshop hosted on attacker-controlled GitHub.
- Vidar samples are packed with Themida and inflated in size (over 330 MB) with padding; the binary is signed with an Avast certificate that is expired.
- Social media dead drops (Telegram channels and Mastodon profiles) function as first-stage resolvers for C2 addresses.
MITRE Techniques
- [T1036] Masquerading – The threat actor registered domains that masquerade as the official Windows 11 download page. ‘The threat actor registered several domains beginning 20th April 2022 that host web pages that masquerade as the official Microsoft Windows 11 download page’
- [T1566] Phishing – Social engineering to impersonate popular legitimate software applications to distribute Vidar malware. ‘ThreatLabz believes that the same threat actor is actively leveraging social engineering to impersonate popular legitimate software applications to distribute Vidar malware, as we have also identified an attacker-controlled GitHub repository which hosts several backdoored versions of Adobe Photoshop.’
- [T1071] Application Layer Protocols – C2 addresses fetched from attacker-controlled social media accounts on Telegram and Mastodon. ‘All the binaries involved in this campaign fetch the IP addresses of the C2 servers from attacker-registered social media accounts on the Telegram and Mastodon networks.’
- [T1105] Ingress Tool Transfer – Libraries are downloaded from the C2, including update.zip containing DLLs. ‘The following libraries are downloaded from the C2:’
- [T1116] Code Signing – The binary is signed with an Avast certificate (expired). ‘The binary inside the ISO file is digitally signed with a certificate by AVAST. However, this certificate is expired and hence invalid.’
- [T1027] Obfuscated/Compressed Files and Information – Vidar samples are packed with Themida and inflated in size with padding. ‘The Vidar samples in these campaigns are all packed with Themida … and over 330MB in size. However, the sample contains a PE file that is only around 3.3MB. Figure 3 shows that the rest of the file content is just artificially filled up with 0x10 bytes to increase the file’s size.’
Indicators of Compromise
- [Hash] MD5 hashes observed in this campaign – 52c47fdda399b011b163812c46ea94a6, 6352540cf679dfec21aff6bd9dee3770, 6ae17cb76cdf097d4dc4fcccfb5abd8a, da82d43043c101f25633c258f527c9d5, e9a3562f3851dd2dba27f90b5b2d15c0
- [Domain] Spoofed Windows 11 download domains – ms-win11[.]com, ms-win11.midlandscancer[.]com, win11-serv4[.]com, win11-serv[.]com, win11install[.]com, ms-teams-app[.]net
- [URL] C2 address fetch URLs – https://t.me/btc20220425, https://ieji.de/@ronxik213, https://koyu.space/@ronxik123, https://t.me/mm20220428
- [URL] ISO file fetch URLs – files.getsnyper[.]com/files/msteams/Setup.iso, files.getsnyper[.]com/files/windows11/Setup.iso, files.getsnyper[.]com/files/msteamsww/Setup.iso
- [IP] Actual C2 addresses – 195.201.250.209, 107.189.11.124, 5.252.178.50