Vidar malware is a notorious data stealer that has been making waves since 2018. This potent infostealer is designed to extract a wide range of data types from compromised systems, posing significant risks to targeted organizations12. This article delves into the mechanics of Vidar malware, its modus operandi, and provides practical techniques to detect and counteract its threats.
Understanding Vidar Malware
Vidar malware is essentially a malicious program that targets personal information and cryptocurrency wallet data present in the attacked environment. It’s believed to be an offspring or direct evolution of the Arkei trojan, bearing similar traits in data exfiltration. While its origin is unofficial, there are strong indications that Vidar originates from Russia. Vidar malware is sold as “Malware-as-a-service” on the Darknet, with its price ranging from $130 to $750 depending on the term of the “licence”3.
How Vidar Spreads
Vidar has historically relied on one primary method of delivery – email spamming. While other methods like injecting into cracked software packages or deployment through dropper malware have been used, they account for less than 10% of the cases. However, changes to Microsoft’s policy on macro execution have forced the threat actors behind Vidar to adopt a different propagation strategy, such as spreading via malicious Google Search ads45.
Email Spamming
In a typical Vidar email spamming scenario, the malware is distributed via emails with routine topics such as invoice updates, delivery notifications, or subscription renewals. These emails come with an attachment, usually an MS Office document with a malicious macro script. If the recipient enables macros, the script contacts the malware server and downloads the payload, infecting the system with Vidar malware6.
Malicious Google Search Ads
As an alternative propagation method, Vidar has started to spread via malicious Google Search ads. This method aligns with the same email messages, but with archives containing malware and correspondingly changed topics7.
Noteworthy Features of Vidar Malware
Vidar is unique in its manner of C2 (Command & Control) communication, often utilizing social networks like Telegram, Mastodon, or even Steam. Additionally, Vidar is programmed to self-destruct after gathering all the information from the system, a strategy that complicates detection and removal efforts8.
On a technical level, Vidar is a x86 architecture Windows binary written in C/C++, and has been found to use customized packing techniques. During its execution, the malware attempts to communicate with a specific domain (mas[.]to/@oleg98), to retrieve the Command & Control (C&C) IP678. After the data has been exfiltrated, Vidar removes itself by deleting the malware binaries and data files910.
The malware sends the victim machine’s unique ID and receives configuration data from the C&C. This data contains values that Vidar uses to steal saved credentials, cookies, browser history, etc. It has hardcoded values that contain details of targeted applications and data extraction information. It targets various browsers like Opera, Mozilla Firefox, Chrome, Brave, etc., and steals credentials, history, and cookies. It also enumerates various cryptocurrency wallets and extracts details from files sharing and communication software. It even collects user geolocation and system language information11121314.
Vidar downloads additional modules to extract credentials, such as freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, and cnruntime140.dll1516. Once the credential extraction is done, Vidar creates a ZIP file on the victim’s machine, storing the victim’s credentials, and then sends these credentials to the attacker’s C&C. It collects information such as Machine ID, Malware Path, Hardware Details, Processes, and Software currently running on the machine17181920.
Indicators of Compromise (IoCs) for Vidar include the SHA-256 hash “c40c62b978908e0f5112eee4ae7370fb9c4cc1ed7c90a171be89f6fd8c10b376” and the mas.to! Bot ID “@oleg98@mas.to” for getting the C&C URL, and the C&C URL “hxxp[:]//65.100.80[.]190″21.
Detecting and Protecting Against Vidar Malware
Given Vidar’s capabilities and its evolving propagation methods, it’s crucial for organizations to implement robust security measures and incident response strategies. Keeping antivirus software and other security measures up-to-date is the first line of defense. Regularly monitoring network traffic for suspicious activity can also help detect any anomalies that may indicate a Vidar infection.
Furthermore, education plays a vital role in prevention. Employees should be trained on how to identify phishing emails, suspicious attachments, and malicious ads to avoid falling victim to Vidar malware. Developing a strong security culture within an organization is a critical step towards mitigating the risks posed by Vidar and other similar threats.
The fight against Vidar malware is not a one-time effort but requires ongoing vigilance and proactive measures. By understanding how Vidar operates and knowing the techniques to detect and counteract its threats, organizations can better protect their systems and data.