Vidar Stealer Employs Advanced Tactics Evade Defense Solutions


The Vidar Stealer has emerged as a potent and sophisticated malware, posing significant risks to both organizations and individuals.

This information-stealing malware, operating as a malware-as-a-service (MaaS), has been meticulously analyzed by CYFIRMA, revealing its advanced tactics and techniques for evading detection and maximizing its malicious activities.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

Overview of Vidar Stealer

Vidar Stealer, written in C++, is capable of stealing a wide range of data from compromised systems.

It targets personal data, web browser data, cryptocurrency wallets, financial data, sensitive files, communication applications, and more.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

Sold on the dark web and underground forums, Vidar Stealer leverages social media platforms as part of its command-and-control (C2) infrastructure, making it a formidable threat in the cybersecurity landscape.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

Key Findings

  • Information-Stealing Capabilities: Vidar Stealer targets a wide range of data, including personal and financial information, application data, and system activity.
  • Malware-as-a-Service: The malware is sold on the dark web and underground forums, with customizable functionality.
  • Evasion Techniques: Vidar employs advanced evasion techniques, such as obfuscating malicious code, injecting code into legitimate Windows processes, and using self-signed certificates to detect network interception.
  • Social Media Utilization: The malware uses social media platforms like Telegram and Steam to obtain C2 details, updates, and instructions.
  • Collaboration with Other Malware: Vidar has been observed collaborating with other malware strains, such as STOP/Djvu ransomware, to maximize its impact.

Behavioral & Code Analysis

1st Stage Execution

Initially, Vidar Stealer retrieves environment details using API calls and terminates the process if a debugger or analysis environment is detected.

2nd Stage Execution

If no analysis environment is detected, the malware decodes the content of the .data section using bitwise XOR operations, revealing artifacts such as C2 URLs and user-agent details.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions
Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

3rd Stage Execution

The malware creates a suspended process (RegAsm.exe) and injects code into it, which then resumes and terminates the original process.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

4th Stage Execution

RegAsm.exe executes the injected code, establishing a connection to retrieve C2 information from URLs embedded in social media profiles.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

The malware exfiltrates data to the C2 server and downloads additional binaries to support its operation.

Exfiltration Process

Vidar Stealer collects and exfiltrates data from web browsers, cryptocurrency wallets, sensitive files, and system-specific directories.

The data is compiled into a folder with distinct file names and exfiltrated to the C2 server.

The malware then deletes the gathered data to eliminate traces of exfiltration.

Vidar Stealer Employs Advanced Tactics Evade Defense Solutions

Vidar-Stealer Capabilities

  • Information Gathering: Collects a wide variety of sensitive information from infected systems.
  • Data Exfiltration: Transmits stolen information over secure channels to C2 servers.
  • Evasion Techniques: Avoids detection by security software through various methods.
  • Process Injection: Targets legitimate Windows processes for code injection.
  • Social Media Utilization: Social media platforms are used for C2 infrastructure and malware promotion.
  • Collaboration with Other Malware: Works with other malware strains to enhance its impact.

The analysis of Vidar Stealer underscores the complexity and dynamic nature of modern cyber threats.

Its multifaceted capabilities, including information gathering, data exfiltration, evasion techniques, and collaboration with other malware strains, highlight the need for robust cybersecurity measures and proactive defense strategies.

Organizations and individuals must remain vigilant and adopt comprehensive security practices to mitigate the risks posed by threats like Vidar Stealer.

To reduce the risks associated with Vidar Stealer, users should exercise caution when opening files from untrustworthy sources or clicking on unfamiliar links.

Deploying reputable antivirus software, ensuring regular software updates, and staying vigilant against social engineering tactics are crucial steps in bolstering protection against such threats.

Collaboration between cybersecurity professionals and platform administrators is essential for promptly identifying and addressing these threats, leading to a safer online environment.

As cyber threats evolve, education and awareness campaigns are vital in equipping individuals with the knowledge to recognize and evade malware like Vidar Stealer.

Indicators Of Compromise

S/N Indicators Type Context
1 7e74918f0790056546b862fa3e114c2a File installer.exe
2 fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc File installer.exe
3 90e744829865d57082a7f452edc90de5 File sqlx[1].dll
4 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550 File sqlx[1].dll
5 https[:]//steamcommunity[.]com/profiles/76561199686524322 URL C2
6 https[:]//t[.]me/k0mono URL C2
7 https[:]//65.108.55.55[:]9000 URL C2
8 https[:]//91.107.221.88[:]9000 URL C2
9 65[.]108[.]55[.]55 IP address C2
10 91[.]107[.]221[.]88 IP address C2

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.



Source link