BleepingComputer reports that threat actors have been spreading the Vidar info-stealing malware through a malicious ad for the GNU Image Manipulation Program, which redirects to a phishing website impersonating the legitimate GIMP.org website.
Searching for 'GIMP' in Google until last week would yield a Google ad leading to the phishing site, which facilitates the delivery of a malicious executable 'Setup.exe'. Binary padding has been leveraged by attackers to make the malware file, which is under 5 MB in size, seem like a 700 MB file.
Distribution of the Vidar info-stealer has been discovered by BleepingComputer to involve 'Setup.exe' file's retrieval of the 'Htcnwiij.bmp' file from a Russia-based URL, with the file being a DLL for malware execution. Second stage payloads are being downloaded by the Setup file after communicating with its command-and-control server. Vidar then proceeds to exfiltrate browser data, cryptocurrency wallets, mailing application data, file transfer application details, and Telegram credentials for Windows.
Malicious posts detailing instructions for downloading cracked software on torrent trackers and forums enable deployment of SteelFox and acquisition of administrator access, which is then leveraged to establish a WinRing0.sys driver susceptible to privilege escalation via the CVE-2020-14979 and CVE-2021-41285 flaws, according to an analysis from Kaspersky.
Malicious emails purporting to be invoices that contain ZIP attachments have been delivered to facilitate the execution of a WebDAV-retrieved DLL that loads the updated Strela Stealer variant.
Pro-Russian hacktivist operations Killnet and Passion have leveraged Dstat.cc to promote their DDoS attack capabilities, with the latter touting its abilities to launch level 4 and level 7 intrusions, according to Germany's Federal Crime Police Office, or BKA.