Online sellers targeted by new information-stealing malware campaign

Online sellers are targeted in a new campaign to push the Vidar information-stealing malware, allowing threat actors to steal credentials for more damaging attacks.

The new campaign launched this week, with threat actors sending complaints to online store admins through email and website contact forms.

These emails pretend to be from a customer of an online store who had $550 deducted from their bank account after an alleged order did not properly go through.

BleepingComputer received one of these emails this week and, after researching the attack, has found it widespread with many submissions to VirusTotal over the past week.

Targeting online sellers

Online sellers are a juicy target for threat actors as gaining credentials to the backend of eCommerce sites allows for various attack types.

For example, once a threat actor gains access to an online store’s admin backend, they can inject malicious JavaScript scripts to perform MageCart attacks, which is when the code steals customers’ credit cards and personal information of customers during checkout.

Backend access can also be used to steal a site’s customer information by generating backups for the store’s database, which can be used to extort victims, threatening they must pay a ransom or the data would be publicly leaked or sold to other threat actors.

Earlier this week, BleepingComputer received an email pretending to be from a customer who was charged $550, even though an order did not properly go through, which is displayed below.

Enclosed in the above email is a link to the alleged bank statement, shortened to hide the original link.

The email is written to impart a sense of urgency, demanding the retailer issue a refund and investigate the root cause of the problem.

When clicking on the URL, targets will be shown a website that pretends to be Google Drive. In BleepingComputer’s tests, this fake Google Drive will either display a bank statement or prompt the user to download the bank statement.

Domains believed to be associated with this campaign are:

If the site displays the bank statement, it shows a sample bank statement from Commerce Bank that uses example data, such as the customer name “Jane Customer” at “Anywhere Dr.”

Phishing email pushing fake bank statement
Source: BleepingComputer

However, other tests would display a fake Google Drive page that says a preview is unavailable and prompts the user to download the ‘Bank_statement.pdf’. However, doing so will actually download an executable named ‘bank_statement.scr’.

Fake Google Drive site push bank_statement.scr
Source: BleepingComputer

While the antivirus providers on VirusTotal only detect it as a generic information-stealer, Recorded Future’s Triage detected it as the Vidar information-stealing malware.

Vidar is an information-stealing trojan that can steal browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and screenshots of the active Windows screen.

This information will then be uploaded to a remote server so the attackers can collect it. After sending the data, the collection of files will be removed from the infected machine, leaving behind a directory full of empty folders.

Once the threat actors receive the stolen information, they either sell the credentials to other threat actors or use them to breach accounts used by the victim.

If you received similar emails and believe you were impacted by this malware distribution campaign, it is vital that you scan your computer for malware immediately and remove anything that is found.

To prevent further attacks, You should change your password on all your accounts, especially those associated with your online commerce sites, bank accounts, and email addresses.

Finally, thoroughly investigate your eCommerce site to check for injected source code into HTML templates, new accounts with elevated privileges, or modifications to the site’s source code.

Leave a Comment

Your email address will not be published. Required fields are marked *