Cybercriminals and other hackers know very well how to choose which opportunities are better to attack our computers. It is very common that when a new popular software or any type of program launches a new version, they take the opportunity to try to “sneak in” a fake version that includes some malware with which to infect our computer. In recent weeks, we’ve been seeing a lot of these attempts around Windows 11, and unfortunately it seems like a new one has emerged.
Microsoft announced with great fanfare the new version of its operating system, which has come with a good number of improvements (both visually and in terms of performance). The best thing about this update is that it’s totally free for owners of the previous version, so practically the only thing we need to install Windows 11 is to meet its minimum requirements. This facility is perhaps one of the biggest windows for hackers, as they have an easy time creating opportunities to infect computers.
Be very careful when downloading Windows 11
As you probably already know, Microsoft makes available to all users a website so that we can comfortably download what is necessary to install Windows 11 on our computer. For this, this page gives us three options so that we can choose the one that suits us best: an installation wizard, create an installation medium or an ISO image of Windows 11.
It is precisely this last type of file that they are using in the last attempt that has been discovered by security firm Zscaler. According to this, a series of unauthorized distribution domains which are very similar to the original from Microsoft itself, but obviously have nothing to do with it. Some of these domains were the following: ms-win11[.] com, win11-serv[.] com win11install[.] com y ms-teams-app[.] com.
These domains contained access to download an ISO file, which contained an executable file of considerable size (specifically 300 MB). The size of this file is an attempt to prevent our computer’s security solutions from identifying it as malicious software, but it is also signed with an expired AVAST security certificateprobably stolen. This ISO file contains the malware known as Vidar, which can have terrible results for us.
A widely used malware
As we say, this ISO file contains Vidar, a Trojan that is capable of steal all kinds of personal data from our equipment without us noticing. It establishes connections to a remote command and control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll, thereby diverting valuable system data to the site of its managers’ choosing.
In the last month, several more attempts to send this malware through other avenues. This is why we must always be very careful when downloading any type of software, always choosing an official route. This is how they explain it from Zscaler:
Cybercriminals distributing Vidar malware have proven their ability to socially trick victims into installing the Trojan using tamas related to the latest popular software applications. As always, users should be cautious when downloading software applications from the Internet and download software only from the official websites of the providers.