A major impersonation campaign is aiming to distribute the Vidar infostealer to as many endpoints as possible.
Cybersecurity researcher from SEKOIA, going under the name crep1x, discovered the campaign and rang the alarm on Twitter. In a short Twitter threat, the researcher said he discovered more than 1,300 domains, all of which impersonate major software brands to push the malware (opens in new tab).
The brands impersonated in this campaign include AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, and cryptocurrency trading apps, to name a few. All of these impersonated brands lead to the same website, a clone of AnyDesk.
Stealing passwords and cryptocurrency
Victims that navigate to these sites and try to download the application would be redirected to a Dropbox folder hosting the Vidar infostealer. A variant of the Arkei infostealer, Vidar is capable of stealing credit cards, login credentials, files, and grab screenshots. It is also capable of stealing cryptocurrencies, such as bitcoin or ether, from the victim’s hot wallets (software wallets).
According to BleepingComputer, which reported on crep1x’s findings earlier this week, the campaign is still active and many of the typosquatted domains are still active. Some have been shut down in the meantime. Dropbox was also notified of its services being abused to distribute malware and has killed the link in the meantime.
However, given that all of the malicious sites point to the same place, the threat actors can persist easily by simply updating the download URL.
The best way to protect against such attacks is to be extra careful when downloading software and making sure the apps are only obtained from verified sources. That being said, navigating to the AnyDesk website (as opposed to clicking a supposed AnyDesk link in an email or a social media post) is a good place to start.
Via: BleepingComputer (opens in new tab)