Description
Online sellers are being targeted in a new campaign to push the information-stealing malware known as Vidar, allowing threat actors to steal credentials for more damaging attacks. The new campaign launched with threat actors sending complaints to online store admins through email and website contact forms.
These emails pretend to be from a customer of an online store who had money deducted from their bank account after an alleged order did not properly go through.
Details
Online sellers are major targets for these threat actors as gaining credentials to the backend of eCommerce websites allows for various attack types. For example, once a threat actor gains access to an online store”s administrator backend, they can inject malicious JavaScript scripts to performMageCart attacks, which is malicious code that steals customers” credit cards and personal information during checkout. The name Magecart refers to several hacker groups that use online skimming techniques to steal payment data from e-commerce sites on the Magento platform. Backend access can also be used to steal customer information by generating backups of the store”s database, which can beused to exploit victims, threatening them to pay a ransom or the data could be publicly leaked or sold to other threat actors.
For this new campaign, the attack vector seems to be in the form of fake emails, sent to online retailers pretending to be from a customer in peril. Emails are written to implicate a sense of urgency, demanding the retailer to issue a refund and investigate the root cause of the problem. When clicking on the associated URL, the victim will be shown a website that impersonates Google Drive. Tests done by BleepingComputer indicate this fake Google Drive will either display a bank statement or prompt the user to download the bank statement.
If the site displays the bank statement, it shows asample bank statementthat uses example data, such as the customer name “Jane Doe”. However, other tests would display a fake Google Drive page that says a preview is unavailable and prompts the user to download the “Bank_statement.pdf”. However, doing so will actually download an executable named “bank_statement.scr”.
Domains believed to be associated with this campaign are:
|
http://bank.verified-docs.org[.]za/ |
http://chase.sign-docs.org[.]za/ |
|
http://documents.cert-docs.net[.]za |
http://documents.verified-docs[.]com/ |
|
https://bank.cert-docs.net[.]za |
https://bank.my-sign-docs[.]com |
|
https://bank.sign-documents[.]net.za |
https://bank.sign-documents[.]org.za |
|
https://bank.verified-docs[.]net.za |
https://bank.verified-docs[.]org.za |
|
https://bank.verified-docs[.]site |
https://chase.cert-docs.co[.]za |
|
https://chase.my-sign-docs[.]org |
https://chase.sign-docs.net[.]za |
|
https://chase.sign-docs.org[.]za |
https://chase.sign-documents.co[.]za |
|
https://chase.sign-documents.org[.]za |
https://documents.cert-docs.co[.]za |
|
https://documents.my-sign-docs[.]org |
https://documents.sign-docs.co[.]za |
|
https://documents.verified-docs.org[.]za |
https://sign-documents.net[.]za/ |
|
https://statements.my-sign-docs.net[.]za/ |
https://statements.sign-docs.co[.]za/ |
|
https://statements.sign-documents.co[.]za/ |
https://statements.sign-documents.net[.]za/ |
|
https://statements.sign-documents.org[.]za/ |
https://statements.verified-docs.org[.]za/ |
|
https://verified-docs[.]com/ |
|
While antivirus providers onVirus Totalonly detect it as a generic information-stealer,Recorded Future”s Triagedetected it as the Vidar information-stealing malware. Vidar is an information-stealing trojan that can steal browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and screenshots of the active Windows screen.
This information will then be uploaded to a remote server so the attackers can collect it. After sending the data, the collection of files will be removed from the infected machine, leaving behind a directory full of empty folders. Once the threat actors receive the stolen information, they either sell the credentials to other threat actors or use them to breach accounts used by the victim.
Remediation
Be wary of phishing emails and scams demanding refunds and including suspicious links or attachments. If you believe you were impacted by this malware distribution campaign, it is vital that you scan your computer for malware immediately and remove anything malicious in nature that is found.
To prevent further attacks, passwords on all accounts must be changed, especially those associated with your online commerce sites, bank accounts, and email addresses.
Finally, thoroughly investigate your eCommerce site to check for injected source code into HTML templates, new accounts with elevated privileges, or modifications to the site”s source code.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Online Sellers Targeted by New-Information Stealing Malware Campaign.pdf
References
Abrams, L. (2023, June 3). Online sellers targeted by new information-stealing malware campaign. Bleeping Computer. Retrieved from:
https://www.bleepingcomputer.com/news/security/online-sellers-targeted-by-new-information-stealing-malware-campaign/
N,d. What is Magecart? | Attack Types & Prevention. Human. Retrieved from:
https://www.humansecurity.com/learn/topics/what-is-magecart#:~:text=A%20Magecart%20attack%20is%20one,when%20they%20complete%20a%20transaction.