An attack was discovered in May 2024 that used a fake KMSPico activator tool to deliver Vidar Stealer, involving a web search for KMSPico, leading the user to a website hosted behind Cloudflare Turnstile, which required human interaction to download a Zip file containing the malicious payload.
The downloaded tool then leveraged Java dependencies and a malicious AutoIt script to disable Windows Defender and decrypt the Vidar payload, and the unusual steps taken by the website, such as requiring human input, suggest an attempt to evade detection by automated scanners.
The discovery was made of a ZIP archive that contained Java dependencies as well as a malicious executable called Setuper_KMS-ACTIV.exe.
When launched, the executable executes javaw.exe to disable Windows Defender behavior monitoring and drops two malicious AutoIt scripts (“x” and “Flour.pif”), containing an encrypted Vidar payload that injects into the currently running AutoIt process.
For the purpose of decrypting the Vidar payload with the RC4 algorithm and a key that is hardcoded, the Vidar stealer makes use of a malicious AutoIt script that employs shellcode.
The key is obfuscated within the script itself, and in order to conceal its C2 infrastructure, the malware makes use of Telegram as a Dead Drop Resolver (DDR) to store the C2 IP address to conceal its C2 infrastructure.
By embedding obfuscated C2 information within Telegram content, the attacker conceals the communication channel between the malware and its command and control server.
Malware can be disguised as legitimate applications (especially greyware piracy tools) found through web searches, highlighting several key security practices: users should avoid unlicensed software activators and obtain software from trusted sources.
Additionally, keeping security software updated and implementing additional security layers is crucial to defending against attacks that exploit software vulnerabilities and disable security software.
According to Esenstire, user awareness and education about the dangers of downloading from untrusted sources are essential to preventing drive-by download attacks.
Also Read: