GoKawiilThe Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware.
ClickFix is a social engineering attack technique that tricks users into executing malicious commands, usually through fake CAPTCHA or browser verification prompts displayed on compromised or malicious websites.
The attack typically tricks users into executing PowerShell commands to bypass security controls and deliver malware, typically info-stealers.
Australian organizations and infrastructure entities are being targeted in attacks that involve compromised WordPress websites that redirect to malicious payloads.
Users visiting these websites are shown a fake Cloudflare verification or CAPTCHA prompt that instructs them to copy and manually execute a malicious PowerShell command on their system, which leads to a Vidar Stealer infection.
“The Australian Signals Directorate’s Australian Cyber Security Center (ASD's ACSC) has observed ClickFix-associated activity leveraging WordPress-hosted infrastructure to distribute the Vidar Stealer malware,” reads the agency's advisory.
Vidar Stealer is an information-stealing malware family and malware-as-a-service (MaaS) operation that emerged in late 2018.
It gradually became a popular choice among cybercriminals for its cost-effectiveness, ease of deployment, and broad data theft capabilities. It targets browser passwords, cookies, cryptocurrency wallets, autofill information, and system details.
It has been observed in ClickFix attacks, promoted through Windows fixes, TikTok videos, and GitHub. Last year, the developer released a new version with upgraded capabilities.
ACSC notes that Vidar deletes its executable after launching on the infected device and then operates from system memory, reducing forensic artifacts.
... continue reading