UNIT 42 researchers from Palo Alto Networks have uncovered a financially motivated malware campaign primarily utilizing the Vidar Stealer and XMRig cryptocurrency miner. Attackers leverage malvertising techniques to lure victims into downloading fake versions of software, infecting them with the malware that targets sensitive data and engages in cryptocurrency mining.
Key findings include the use of a 'malware-as-a-service' (MaaS) approach, the fraudulent use of code-signing certificates, and anti-detection techniques such as file inflation and Memory Antimalware Scan Interface (AMSI) bypasses. The campaign demonstrates rapid adaptation by malware authors, as seen with the transition to unauthorized certificates in subsequent variants.
Recommendations for organizations include enhancing code-signing validation, monitoring for persistence indicators, and blocking known command-and-control servers.