Vidar Stealer Malware Campaign
The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. ClickFix is a social engineering attack technique that tricks users into executing malicious commands, usually through fake CAPTCHA or browser verification prompts displayed on compromised or malicious websites.
Attack Technique
The attack typically tricks users into executing PowerShell commands to bypass security controls and deliver malware, typically info-stealers. Australian organizations and infrastructure entities are being targeted in attacks that involve compromised WordPress websites that redirect to malicious payloads.
Users visiting these websites are shown a fake Cloudflare verification or CAPTCHA prompt that instructs them to copy and manually execute a malicious PowerShell command on their system, which leads to a Vidar Stealer infection. The Australian Signals Directorate’s Australian Cyber Security Center (ASD's ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware.
Vidar Stealer Malware
Vidar Stealer is an information-stealing malware family and malware-as-a-service (MaaS) operation that emerged in late 2018. It gradually became a popular choice among cybercriminals for its cost-effectiveness, ease of deployment, and broad data theft capabilities. It targets browser passwords, cookies, cryptocurrency wallets, autofill information, and system details.
It has been observed in ClickFix attacks, promoted through Windows fixes, TikTok videos, and GitHub. Last year, the developer released a new version with upgraded capabilities. ACSC notes that Vidar deletes its executable after launching on the infected device and then operates from system memory, reducing forensic artifacts.
Command-and-Control (C2) Address
It retrieves a command-and-control (C2) address via “dead-drop” URLs using public services like Telegram bots and Steam profiles, a tactic that has been widely used in the past but which remains effective.
Recommendations
ACSC recommends that organizations restrict PowerShell execution and implement application allow-listing to reduce the risk from these attacks. WordPress site administrators are also advised to apply available security updates for themes and add-ons, and to remove any unused themes/plugins from their platforms.
ACSC's security bulletin provides indicators of compromise (IoCs) for these attacks, allowing organizations to set up defenses or detect intrusions. By following these recommendations, organizations can reduce the risk of falling victim to these attacks and protect their sensitive information.
- Restrict PowerShell execution
- Implement application allow-listing
- Apply available security updates for themes and add-ons
- Remove any unused themes/plugins from their platforms
For more information, organizations can refer to ACSC's security bulletin, which provides detailed guidance on how to protect against these attacks.
Related Attacks
ClickFix attacks have been used to distribute other types of malware, including New macOS stealer campaign and Infinity Stealer malware. These attacks highlight the importance of being vigilant and taking proactive steps to protect against social engineering attacks.
99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot and stay ahead of the latest threats.
Source: BleepingComputer