Vidar Malware Spreads Through Fake CAPTCHAs and Concealed in Image and Text Files
Malicious Campaign Exploits User Trust, Leverages Steganography
R researchers have discovered a sophisticated malware campaign that exploits user trust and utilizes steganography to deliver a new version of the notorious Vidar infostealer.
The Attack Chain
The attack, attributed to the Lat61 Threat Intelligence Team, involves a multi-stage infection chain that starts with a VBScript and PowerShell script leading to the deployment of a Go-compiled loader.
Claude Code Leak
Steganography and Image Files
To evade detection, the malware uses image files as covert carriers, leveraging steganography to scan these files for secret markers to extract Base64-encoded data.
Living-Off-The-Land Techniques
Once the malware gains access to a device, it employs living-off-the-land (LotL) techniques, utilizing trusted Windows binaries such as WScript, PowerShell, and RegAsm.exe to blend in with normal system processes.
Data Exfiltration
The ultimate goal of the campaign is data exfiltration, with the malware targeting browser extensions on Google Chrome and Microsoft Edge, as well as crypto wallets, login credentials, and session data.
Stolen Data Transmission
Recommendations
This campaign serves as a reminder of the importance of being cautious when interacting with unfamiliar sources, especially when dealing with downloadable files.
Developers and users should exercise extreme caution when running commands without fully understanding their impact, and ensure that any downloaded files are thoroughly scanned for malware before execution.
The use of image files as covert carriers highlights the ongoing evolution of malware tactics, emphasizing the need for continuous education and awareness among developers, users, and security professionals.
By staying vigilant and adapting to emerging threats, we can better protect ourselves against such sophisticated attacks.
About Author
English