Vidar malware is distributed by tricking users into downloading fake versions of Windows 11

A malware known as Vidar, which steals sensitive information, is being spread via the use of bogus download sites for Microsoft Windows 11 that attempt to trick users into downloading malicious installation packages.

Vidar Malware

Spoofed websites, were created with the intention of distributing malicious ISO files, which ultimately led to the endpoint getting infected with the information-stealing malware known as Vidar, according to a report posted by Zscaler. According to the information that has been made public, these variants of the Vidar malware get the C2 configuration by using social media channels that are under the control of the cybercriminals.

Domains such as ms-win11[.]com, win11-serv[.]com, win11install[.]com, and ms-teams-app[.]net are examples of malicious distribution vector domains that were registered on April 20.

According to the cybersecurity organization, this threat actor is spreading the Vidar virus through backdoored versions of Adobe Photoshop and other legitimate programs like Microsoft Teams.

Although the ISO file is verified with an Avast certificate that was probably stolen during the breach of the organization in October 2019, the executable that is included therein is excessively huge (over 300 MB) in an attempt to avoid being discovered by security software.

However, the malicious software known as Vidar is concealed inside an executable file with a size of 3.3 megabytes which is a component of the binary that consists of a total of 330 megabytes. This executable file is padded with 0x10 bytes in order to artificially increase the file size.

After the malware has established a connection with a remote command-and-control (C2) server, the next stage in the attack chain involves the malware obtaining two legitimate DLL files called Sqlite3.dll and Vcruntime140.dll. These files are then used in the subsequent phase of the attack.

In addition, the threat actor makes use of Mastodon and Telegram to save the C2 IP address in the account description field and the community description field, respectively, of both services.

As was previously reported, the spread of the Vidar virus is being aided by both Microsoft Compiled HTML Help (CHM) files and a loader known as Colibri.

According to specialists, victims might be lured into installing malware called Vidar by using themes that are based on famous software products that are now available.

As far as online security is concerned, software users should be cautious while downloading programs from the Internet to protect themselves from potential threats. As a best practice, users should only download software from the official websites provided by the product’s manufacturer.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment