The Vidar Stealer has emerged as a potent and sophisticated malware, posing significant risks to both organizations and individuals.
This information-stealing malware, operating as a malware-as-a-service (MaaS), has been meticulously analyzed by CYFIRMA, revealing its advanced tactics and techniques for evading detection and maximizing its malicious activities.
Overview of Vidar Stealer
Vidar Stealer, written in C++, is capable of stealing a wide range of data from compromised systems.
It targets personal data, web browser data, cryptocurrency wallets, financial data, sensitive files, communication applications, and more.
Sold on the dark web and underground forums, Vidar Stealer leverages social media platforms as part of its command-and-control (C2) infrastructure, making it a formidable threat in the cybersecurity landscape.
Key Findings
- Information-Stealing Capabilities: Vidar Stealer targets a wide range of data, including personal and financial information, application data, and system activity.
- Malware-as-a-Service: The malware is sold on the dark web and underground forums, with customizable functionality.
- Evasion Techniques: Vidar employs advanced evasion techniques, such as obfuscating malicious code, injecting code into legitimate Windows processes, and using self-signed certificates to detect network interception.
- Social Media Utilization: The malware uses social media platforms like Telegram and Steam to obtain C2 details, updates, and instructions.
- Collaboration with Other Malware: Vidar has been observed collaborating with other malware strains, such as STOP/Djvu ransomware, to maximize its impact.
Behavioral & Code Analysis
1st Stage Execution
Initially, Vidar Stealer retrieves environment details using API calls and terminates the process if a debugger or analysis environment is detected.
2nd Stage Execution
If no analysis environment is detected, the malware decodes the content of the .data section using bitwise XOR operations, revealing artifacts such as C2 URLs and user-agent details.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
3rd Stage Execution
The malware creates a suspended process (RegAsm.exe) and injects code into it, which then resumes and terminates the original process.
4th Stage Execution
RegAsm.exe executes the injected code, establishing a connection to retrieve C2 information from URLs embedded in social media profiles.
The malware exfiltrates data to the C2 server and downloads additional binaries to support its operation.
Exfiltration Process
Vidar Stealer collects and exfiltrates data from web browsers, cryptocurrency wallets, sensitive files, and system-specific directories.
The data is compiled into a folder with distinct file names and exfiltrated to the C2 server.
The malware then deletes the gathered data to eliminate traces of exfiltration.
Vidar-Stealer Capabilities
- Information Gathering: Collects a wide variety of sensitive information from infected systems.
- Data Exfiltration: Transmits stolen information over secure channels to C2 servers.
- Evasion Techniques: Avoids detection by security software through various methods.
- Process Injection: Targets legitimate Windows processes for code injection.
- Social Media Utilization: Social media platforms are used for C2 infrastructure and malware promotion.
- Collaboration with Other Malware: Works with other malware strains to enhance its impact.
The analysis of Vidar Stealer underscores the complexity and dynamic nature of modern cyber threats.
Its multifaceted capabilities, including information gathering, data exfiltration, evasion techniques, and collaboration with other malware strains, highlight the need for robust cybersecurity measures and proactive defense strategies.
Organizations and individuals must remain vigilant and adopt comprehensive security practices to mitigate the risks posed by threats like Vidar Stealer.
To reduce the risks associated with Vidar Stealer, users should exercise caution when opening files from untrustworthy sources or clicking on unfamiliar links.
Deploying reputable antivirus software, ensuring regular software updates, and staying vigilant against social engineering tactics are crucial steps in bolstering protection against such threats.
Collaboration between cybersecurity professionals and platform administrators is essential for promptly identifying and addressing these threats, leading to a safer online environment.
As cyber threats evolve, education and awareness campaigns are vital in equipping individuals with the knowledge to recognize and evade malware like Vidar Stealer.
Indicators Of Compromise
S/N | Indicators | Type | Context |
1 | 7e74918f0790056546b862fa3e114c2a | File | installer.exe |
2 | fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc | File | installer.exe |
3 | 90e744829865d57082a7f452edc90de5 | File | sqlx[1].dll |
4 | 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550 | File | sqlx[1].dll |
5 | https[:]//steamcommunity[.]com/profiles/76561199686524322 | URL | C2 |
6 | https[:]//t[.]me/k0mono | URL | C2 |
7 | https[:]//65.108.55.55[:]9000 | URL | C2 |
8 | https[:]//91.107.221.88[:]9000 | URL | C2 |
9 | 65[.]108[.]55[.]55 | IP address | C2 |
10 | 91[.]107[.]221[.]88 | IP address | C2 |
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses.
Sign up for free.