Hackers made fake Windows 11 download domains to deliver Vidar malware

Fake domains offer Windows 11 installers and deploy info-stealing malware instead

Vidar malware delivered via fake download domainsFake installer offers on malicious domains trick people into installing info-stealer instead of Windows 11

Websites masquerading as the proper Microsoft Windows 11 download portals attempt to trick people into installing the trojanized installation files. Machines get infected with the Vidar information stealer virus once the malicious files get executed.[1] Security researchers report [2] about the new phishing campaigns involving these fake Windows 11 installer pages that deliver cyber infections. The firm observed that newly registered pages first appeared in April 2022 and have been designed to mimic the legitimate Windows 11 versions download page from the beginning.

These domains contain pirating material, software, and games, and are actually filled with hotbeds of malicious malware packages. These pieces can deliver trojans, information stealers, adware, and other dangerous programs and files.[3] These pages were created to deliver malicious ISO files that directly trigger the Vidar info-stealer infiltration on the endpoint.

These pages even contain pieces that could help imitate the official sites too. Some of the rogue domains registered back on April 20th consisted of ms-win11; win11; win11install; ms-teams in their URLs. Researchers also noted the fact that hackers use Telegram:

These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network

Leveraging the other legitimate software to deliver the malware

Cybersecurity researchers cautioned that these criminals impersonating the installers and downloads also released campaigns leveraging backdoored versions of Adobe Photoshop, and other software like Microsoft Teams. These methods are also used to deploy Vidar malware.[4]

Cracked forms of software are on the offer website for free, and users can download software from these platforms to avoid paying for the full software license. The active sites were analyzed, and these listings of macOS, Linux, and Windows applications got revealed. Those programs are various creative apps, enterprise versions of Windows software, hosts of files, and videogames.

Downloading these packages leads to infections, and it also is the same for any other download pages that are trusted besides red flags, questionable web addresses, and pre-packed programs.[5] However, this info stealer malware is not delivered via any freeware download page.

Vidar malware is delivered via various attacks and phishing campaigns

The ISO file delivered by the installer contains the executable for the malware and can try to attempt to evade detection by AV solutions. It includes the certificate signing from Avast that is expired. The next infiltration phase includes the connection to the remote command and control server, so the DLL file can be retrieved, and valuable data is gathered from the compromised systems.

Researchers also indicated other Vidar spreading campaigns. The information stealer can be delivered through phishing email campaigns, social media networks like Telegram, and Mastodon, and other attacks. Mastodon is the open-source software used to run self-hosted networks. Threat actors create new user accounts and store C&C server addresses in the profile section of those attacks.

New campaigns also show the leverage of Telegram channels with the same method of C2 addresses stored in the channel description. This way, malware implanted on vulnerable systems can easily gather these configurations from Telegram channels.

These criminals deploying Vidar information stealer show advanced social engineering methods and trick victims into installing the stealer using themes related to the popular software applications and security. Users should always be cautious when downloading anything from the internet.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions