Online sellers targeted by new information-stealing malware campaign

Online sellers are targeted in a new campaign to push the Vidar information-stealing malware, allowing threat actors to steal credentials for more damaging attacks.

The new campaign launched this week, with threat actors sending complaints to online store admins through email and website contact forms.

These emails pretend to be from a customer of an online store who had $550 deducted from their bank account after an alleged order did not properly go through.

BleepingComputer received one of these emails this week and, after researching the attack, has found it widespread with many submissions to VirusTotal over the past week.

Targeting online sellers

Online sellers are a juicy target for threat actors as gaining credentials to the backend of eCommerce sites allows for various attack types.

For example, once a threat actor gains access to an online store's admin backend, they can inject malicious JavaScript scripts to perform MageCart attacks, which is when the code steals customers' credit cards and personal information of customers during checkout.

Backend access can also be used to steal a site's customer information by generating backups for the store's database, which can be used to extort victims, threatening they must pay a ransom or the data would be publicly leaked or sold to other threat actors.

Earlier this week, BleepingComputer received an email pretending to be from a customer who was charged $550, even though an order did not properly go through, which is displayed below.

"I'm writing to convey my deep concern and disappointment regarding a recent transaction I made on your web-site. 
On May 14, 2023, I placed a purchase for items well worth over $550 from your shop. 
However, a substantial problem has arisen that needs your immediate attention.
Right after i have completed the purchase, I encountered error signal on your webpage, stating it was not able to make the payment and that simply no finances were taken from my bank card. 
To my surprise, upon reviewing my bank account, I discovered that the payment had indeed been executed and the identical amount was withdrawn.
I urge you to handle this issue with the maximum urgency and fix the problem quickly. 
It is essential that you analyze the cause of this discrepancy and take immediate actions to return the subtracted amount of money.
For your review and as proof of the purchase, I've provided a copy of my bank statement below, which obviously displays the withdrawal of funds.
This should act as final proof of the payment and highlight the urgency of the complete refund.
I will genuinely value your immediate actions.
Here is the hyperlink to my statement https://bit.ly/xxxx"
 

Enclosed in the above email is a bit.ly link to the alleged bank statement, shortened to hide the original link.

The email is written to impart a sense of urgency, demanding the retailer issue a refund and investigate the root cause of the problem.

When clicking on the URL, targets will be shown a website that pretends to be Google Drive. In BleepingComputer's tests, this fake Google Drive will either display a bank statement or prompt the user to download the bank statement.

Domains believed to be associated with this campaign are:

http://bank.verified-docs.org[.]za/
http://chase.sign-docs.org[.]za/
http://documents.cert-docs.net[.]za/
http://documents.verified-docs[.]com/
https://bank.cert-docs.net[.]za
https://bank.my-sign-docs[.]com
https://bank.sign-documents[.]net.za
https://bank.sign-documents[.]org.za
https://bank.verified-docs[.]net.za
https://bank.verified-docs[.]org.za
https://bank.verified-docs[.]site
https://chase.cert-docs.co[.]za
https://chase.my-sign-docs[.]org
https://chase.sign-docs.net[.]za
https://chase.sign-docs.org[.]za
https://chase.sign-documents.co[.]za
https://chase.sign-documents.org[.]za
https://documents.cert-docs.co[.]za
https://documents.my-sign-docs[.]org
https://documents.sign-docs.co[.]za
https://documents.verified-docs.org[.]za
https://sign-documents.net[.]za/
https://statements.my-sign-docs.net[.]za/
https://statements.sign-docs.co[.]za/
https://statements.sign-documents.co[.]za/
https://statements.sign-documents.net[.]za/
https://statements.sign-documents.org[.]za/
https://statements.verified-docs.org[.]za/
https://verified-docs[.]com/

If the site displays the bank statement, it shows a sample bank statement from Commerce Bank that uses example data, such as the customer name "Jane Customer" at "Anywhere Dr."

However, other tests would display a fake Google Drive page that says a preview is unavailable and prompts the user to download the 'Bank_statement.pdf'. However, doing so will actually download an executable named 'bank_statement.scr'.

While the antivirus providers on VirusTotal only detect it as a generic information-stealer, Recorded Future's Triage detected it as the Vidar information-stealing malware.

Vidar is an information-stealing trojan that can steal browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and screenshots of the active Windows screen.

This information will then be uploaded to a remote server so the attackers can collect it. After sending the data, the collection of files will be removed from the infected machine, leaving behind a directory full of empty folders.

Once the threat actors receive the stolen information, they either sell the credentials to other threat actors or use them to breach accounts used by the victim.

If you received similar emails and believe you were impacted by this malware distribution campaign, it is vital that you scan your computer for malware immediately and remove anything that is found.

To prevent further attacks, You should change your password on all your accounts, especially those associated with your online commerce sites, bank accounts, and email addresses.

Finally, thoroughly investigate your eCommerce site to check for injected source code into HTML templates, new accounts with elevated privileges, or modifications to the site's source code.