A recent malware campaign has been identified targeting Italian users through their certified email accounts, delivering the Vidar infostealer as its primary payload. This campaign relies on malspam, where emails designed to look legitimate are sent to unsuspecting users, prompting them to click a link within the message. Upon interaction, a JavaScript downloader is activated, which proceeds to execute a series of steps aimed at deploying Vidar on the target system.
The method used in this campaign begins with a JavaScript file that, once downloaded and opened, triggers a PowerShell script. This script is responsible for the final steps in retrieving and launching the Vidar infostealer, which is known for its ability to steal sensitive information. Vidar is particularly adept at extracting data such as login credentials, banking information, and other personal data stored in browsers, making it a potent threat for both individual and business users.
Security experts have noted that malicious indicators associated with this campaign are being actively blocked and monitored by VMware Carbon Black’s policies. These policies recommend robust blocking measures to prevent the execution of known, suspect, and potentially unwanted programs. By delaying malware execution for cloud-based scans, Carbon Black’s system leverages its cloud reputation service, offering an added layer of defense.
Users are urged to exercise caution when interacting with emails that request unexpected actions, especially when dealing with financial or official documents through certified email systems. Keeping antivirus software updated, relying on reputable security providers, and avoiding unknown links are recommended practices for reducing the risk of falling victim to such campaigns.
Reference: