Vidar Infostealer Adopts Fileless Techniques Using JPEG and TXT Payloads

Severity: High (Score: 71.0)

Sources: Cybersecuritynews, Scworld, hackread.com, Socprime

Summary

The Vidar infostealer has evolved into a sophisticated multi-stage attack framework that utilizes fileless techniques to evade detection. Attackers embed malicious payloads within JPEG images and TXT documents, leveraging social engineering tactics such as fake GitHub repositories and compromised WordPress sites to lure victims. Initial access is gained through VBScript and PowerShell, with the malware employing living-off-the-land binaries like WScript and RegAsm.exe for execution. The campaign targets sensitive information, including credentials and cryptocurrency wallets, exfiltrating data via Telegram and Cloudflare-fronted domains. Researchers have documented the infection chain, highlighting the use of steganography and in-memory execution to avoid traditional security measures. Security professionals are advised to monitor for suspicious activity related to these file types and to implement behavior-based detection strategies. The scope of impact includes users of over 200 browser extensions, making it a significant threat to personal and organizational security. Key Points: • Vidar infostealer now uses JPEG and TXT files for stealthy, fileless attacks. • The malware targets credentials and cryptocurrency wallets from over 200 browser extensions. • Social engineering tactics are employed to lure victims into executing malicious payloads.

Key Entities

• Malware (attack_type)
• Vidar (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• Windows (platform)
• PowerShell (tool)
• RegAsm.exe (tool)
• VBScript (tool)
• WScript (tool)