{"id":7214,"date":"2021-10-25T16:59:45","date_gmt":"2021-10-25T23:59:45","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7214"},"modified":"2024-08-07T12:18:24","modified_gmt":"2024-08-07T19:18:24","slug":"swift-themed-malspam-delivers-vidar-infostealer","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/swift-themed-malspam-delivers-vidar-infostealer\/","title":{"rendered":"SWIFT-Themed Malspam Delivers Vidar Infostealer"},"content":{"rendered":"

Author: Christopher Kim<\/strong><\/h3>\n

 <\/p>\n

1. Overview<\/h3>\n

On 20 October, Infoblox observed a malicious email campaign distributing the infostealer Vidar and using a SWIFT payment theme in the messages. The features of the Vidar file used in this campaign closely resembled those of the Vidar file we observed last year.1<\/sup><\/a><\/p>\n

2. Customer impact<\/h3>\n

Vidar was first discovered in October 2018.2<\/sup><\/a> It is written in C++ and is a variant of the Arkei infostealer. The developers of Vidar sell it as a malware-as-a-service (MaaS), and cyber criminals can customize and control it through a web control panel.<\/p>\n

After compromising a victim\u2019s machine, Vidar exfiltrates data from web browsers, cryptocurrency wallets, messenger software, and two-factor authentication software.<\/p>\n

3. Campaign analysis<\/h3>\n

All emails in this campaign had the subject line Pro-Forma Invoice- 8552616 Oil_Field_Meterials EXW 19\/10\/2021<\/em>, the From name Crayonsglobal. Passive DNS (pDNS) indicates that the IP address used to send the emails is mapped to nearly 50 other domains that host Vidar and other malicious payloads. Many of these domains use a Dynamic DNS and the web-hosting provider that appears to be widely abused by phishing and malware campaigns, including those conducted by advanced persistent threat (APT) groups.3<\/sup><\/a><\/p>\n

4. Attack chain<\/h3>\n

The infection chain begins when a recipient opens the email attachment, Invoice- 245678909 Oil_Field_Swift_remmitance.doc.<\/em> The Visual Basic for Applications (VBA) macros embedded in the document execute a script, leastenter.cmd, which launches PowerShell to download the Vidar executable, write it to \\Documents\\littlelittle.exe, and then execute it.<\/p>\n

Next, Vidar downloads several dynamic-link library (DLL) files that allow access to data of various applications. Vidar uses these dependencies to steal data, compiles it into a ZIP file, and sends it back to the C&C. Finally, Vidar deletes itself and all the libraries it downloaded.<\/p>\n

\"\"<\/p>\n

5. Vulnerabilities and mitigation<\/h3>\n

Vidar can severely damage an organization\u2019s financial well-being and reputation. Organizations should reduce their attack surface by strengthening security in two areas: (1) handling of emails, which are Vidar\u2019s primary attack vector, and (2) DNS, which Vidar uses to find locations for downloading payloads. We recommend the following actions for reducing the possibility of succumbing to an attack by Vidar:<\/p>\n