Security researchers have found a new collection of phishing domains offering up fake Windows 11 installers that deliver information-stealing malware. Cybersecurity firm Zscaler said that newly registered domains appeared in April 2022 and have been designed to mimic the legitimate Microsoft Windows 11 OS download portal. ‘Warez’ sites containing pirated material, including software and games, are notorious as hotbeds of malicious malware packages, including Trojans, information stealers, adware, and nuisanceware. Cracked forms of software are often offered for free and users who download the software are usually trying to avoid paying for software licenses or gaming content. A brief scan of active warez sites reveals listings for Windows, macOS, and Linux applications, including Adobe Photoshop, various creative applications, enterprise versions of Windows software, and a host of films and games.
However, users who download these applications might also receive malware – and the same applies when downloading trusted software from a suspicious web address. In the case documented by Zscaler, Vidar is spread by the threat actors through phishing and social media networks, including Mastodon, which are widely abused to facilitate attacks. Mastodon is decentralized, open-source software used to run self-hosted social networks. In two instances, the cybercriminals created new user accounts and stored Command and Control (C2) server addresses in their ‘profile’ sections. In a new development, the Vidar group is also opening Telegram channels with the same C2 stored in the channel description. By doing so, malware implanted on vulnerable systems can fetch a C2 configuration from these channels.
Vidar is a nasty form of malware able to spy on users and steal their data, including OS information, browser history, online account credentials, financial data, and various cryptocurrency wallet credentials. Vidar is also spread through the Fallout exploit kit. While the fake website pretends to be the official download portal, the malicious file on offer is an .ISO hiding the Vidar payload and packed with Themida. A static configuration is used to access the C2, but social media profiles can also be used as backup URLs. In addition to the .ISO files being distributed as fake Windows 11 installers, Zscaler also uncovered a GitHub repository storing backdoored versions of Adobe Photoshop, another popular option for warez sites.