The Australian Cyber Security Centre has issued an alert about an active campaign distributing Vidar Stealer malware through compromised WordPress sites and social engineering tactics. The May 7 warning describes attacks targeting infrastructure and organizations across multiple sectors in Australia, using a technique called ClickFix to bypass conventional security defenses.
Vidar Stealer is an information-stealing malware that has operated since 2018, primarily targeting Microsoft Windows users. The malware collects usernames, passwords, credit card data, cryptocurrency wallets, browser history, and multi-factor authentication tokens from infected systems. Once deployed, it uses defense-evasion techniques including self-deletion of the initial executable, allowing it to persist primarily in memory where detection becomes significantly more difficult.
The current campaign begins with compromised WordPress sites that redirect visitors to attacker-controlled pages. These pages display fake CAPTCHA verification prompts that instruct users to copy and execute malicious commands or scripts on their own machines. Because victims manually enter these commands, the technique often bypasses traditional security controls that would normally block automated malware execution. The Australian Signals Directorate's cyber security arm characterizes this as a widespread threat affecting multiple sectors.
The ClickFix social engineering method represents a shift in attack tactics, exploiting user trust in common web security mechanisms like CAPTCHA challenges. By convincing users they need to complete a verification step, attackers turn victims into unwitting accomplices in their own compromise. This approach proves particularly effective because it leverages legitimate system functions rather than exploiting software vulnerabilities.
The ACSC recommends several defensive measures for organizations. Priority actions include restricting execution of unauthorized applications and scripts, maintaining current patches for WordPress installations along with all plugins and themes, and blocking clipboard write access from browser-based JavaScript. Organizations should also ensure operating systems receive security updates promptly, particularly on internet-facing systems, and implement phishing-resistant multi-factor authentication to protect accounts even if credentials are stolen.
Source: https://www.infosecurity-magazine.com/news/australian-cyber-security-centre/