Vidar Information Stealer Distributed via Over 1,300 Impersonated Domains

Summary

A SEKOIA threat analyst discovered a new typosquatting campaign using fake domains to distribute information stealer malware. The domains impersonate over 1,300 brands, including AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and many cryptocurrency trading platforms. Users who click on any of these false domains are redirected to the same AnyDesk website with an IP address of 185.149.120[.]9. This website directs users to a Dropbox link advertising an AnyDesk installer; however, the file, called AnyDeskDownload.zip, instead downloads the Vidar information stealer. Vidar steals victim data and sends it to the threat actor’s command-and-control server. This data includes browser activity, saved passwords, login credentials, cryptocurrency wallet information, and banking information.

Analysts assess that threat actors are using Dropbox instead of a more obfuscated source because anti-virus tools are less likely to flag Dropbox links. At the time of this writing, the Dropbox link used to download this malware has been flagged and taken down. However, the threat actors behind this campaign can easily create a new Dropbox link to continue propagating the information stealer.

Recommendations

The NJCCIC advises users to only download software from official websites or legitimate vendors and avoid pirated software from unofficial sources. Users are urged to avoid opening suspicious links or email attachments without verifying the authenticity of the sender. A complete list of domains associated with this campaign can be found in the GitHub text file.