Executive Summary
At CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This in-depth examination focuses on the Vidar Stealer, an information stealer operating as a malware-as-a-service. The research explores the tactics employed by threat actor(s) to evade detection on the system and over the network, as well as their techniques for concealing malicious code and activities. Additionally, it examines their utilization of social media platforms to procure command and control details for data exfiltration and updates.
Introduction
This study provides a concise overview of Vidar Stealer, a potent malware written in C++, capable of stealing a wide range of data from the compromised system. Vidar Stealer targets user’s personal data, web-browser data, cryptocurrency wallets, financial data, sensitive files within user directories, communication applications, process explorer data, network communications, and more. This customizable malware is being sold on the dark web and underground forums as a malware-as-a-service, and leveraging the social media platforms as their part of C2 infrastructure to get details such as IP address, instructions, updates, and downloads. Understanding the operation and impact of Vidar Stealer is crucial for cybersecurity professionals to develop effective defense strategies against such sophisticated threats.
Key Findings
- Vidar is an information-stealing malware that targets a wide range of data.
- It is being sold as a malware-as-a-service on the dark web and underground forums.
- It comes with customizable functionality.
- The malware hides the core malicious code in an obfuscated form and decodes after analyzing the environment for debugger/analysis tools.
- Injects the malicious code into the legitimate Windows process.
- Use social media platforms to get C2 details.
- Downloads additional binaries from C2 to support its operation.
- Checks for the use of self-signed certificates to detect the potential network interception between malware and C2.
- Collects a wide range of data from the compromised system including personal and financial data, application data, system activity, and more.
- Harvests all the targeted data into the ProgramData folder under a randomly generated file name.
- Exfiltrates all the collected data to the C2 server and subsequently deletes them from the ProgramData folder to eliminate potential traces of data exfiltration.
- The analyzed sample exhibits no signs of a persistence mechanism.
- The threat actor appears to be of Russian origin based on the language used to promote and sell the malware across the dark web and Telegram channel.
ETLM Attribution
Vidar Stealer was first seen in 2018 and since then it has been updated several times to enhance its functionality. The malware is supported by a dedicated team, and they provide weekly updates on Mondays, as claimed on their portal:
Vidar Stealer integrated social media platforms like Telegram and Steam into its infrastructure, not only for providing updates and support to subscribers but also for command-and-control (C2) functionality. This includes embedding the IP address/URL on the profile page, which the malware retrieves during the initial stage of execution.
The use of social media in such a way provides unrestricted access to information that is required by the malware for its operation without raising any flags. By just updating the details on the social media profile page such as IP address, the C2 can be changed and that provides protection from denial of service in case the IP/URL is blocked by the network service providers or security solutions.
The official support channel for Vidar on Telegram, along with the Vidar news Telegram channel with 372 subscribers, in Russian, indicates the malware or threat actor’s Russian origins:
In February, Sultan, the name behind Vidar malware, shared an image featuring the Lumma and Raccoon stealers, depicted together in combat against antivirus solutions. This suggests collaboration among threat actors, as they join forces and share infrastructure to achieve their goals.
Having conducted our observations, we have noted an intriguing collaboration over time between Vidar Stealer and the STOP/Djvu ransomware. We have observed them spreading together, often accompanied by the SmokeLoader backdoor. Furthermore, SmokeLoader has been known to introduce the RedLine stealer and Laplas clipper trojan. With all these components running on a single PC, the result is chaos. It is likely that Djvu ransomware affiliates aim to maximize their profits from a single victim by leveraging this extensive array of malware.
Threat Landscape: From an external threat landscape standpoint, the threat landscape presents a dynamic and evolving environment characterized by the presence of sophisticated malware such as Vidar Stealer. Threat actors demonstrate a high level of adaptability, employing advanced tactics to evade detection and maximize their malicious activities.
Notably, the collaboration between Vidar Stealer and other malware strains, such as STOP/Djvu ransomware, highlights the interconnected nature of modern cyber threats. Furthermore, the utilization of social media platforms like Telegram and Steam for malware promotion underscores the importance of monitoring these channels for early threat detection. Overall, organizations and individuals face significant risks from multifaceted attacks that leverage a combination of malware variants, emphasizing the need for robust cybersecurity measures and proactive defense strategies.
Analysis of Vidar Stealer
File Analysis | |
File Name | installer.exe |
File Size | 364.00 KB (372736 bytes) |
Signed | Not signed |
MD5 | 7e74918f0790056546b862fa3e114c2a |
SHA-256 | fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc |
Date Modified | 18-05-2024 |
The malware specimen is a 32-bit console-based executable, typically delivered as a payload of downloader malware like a private loader. It’s compiled using Visual Studio and coded in C++.
This non-packed file consists of five sections, with two marked as executable. This indicates a possible shift in code execution to support the underlying operation once specific conditions are met.
The entropy of the .data section, along with the uniform byte distribution, suggests the presence of obfuscated content within the section:
The malware initially loads only two libraries, with the remaining required libraries being loaded at runtime:
The imports indicate towards malware functionality and anti-analysis measures:
Behavioral & Code Analysis
1st Stage Execution:
Initially, the malware utilizes API calls such as GetEnvironmentStrings and GetModuleHandleExW to retrieve environment details. Subsequently, it triggers a memory access violation exception and terminates the process by calling RtlExitUserProcess if a debugger or analysis environment is detected.
2nd Stage Execution:
If the malware doesn’t detect any analysis environment, it proceeds to decode the content of the .data section using bitwise XOR operations:
The decoded content reveals many artifacts including C2 URL, user-agent used in communication, target data and applications, etc.:
3rd Stage Execution:
Post decoding the content of the .data section, it proceeds to create a suspended process RegAsm.exe:
Following that, it executes process injection by writing the virtual memory of the suspended process RegAsm.exe with code retrieved from the decoded .data section:
After injecting the code into RegAsm.exe, it resumes the suspended process and subsequently terminates itself:
4th Stage Execution:
At this stage, RegAsm.exe executes the injected code. It establishes a connection to retrieve the C2 information from the URL https[:]//steamcommunity[.]com/profiles/76561199686524322, identified within the extracted string from the decoded content of .data section:
The response body includes the C2 address “https[:]//65.108.55.55[:]9000”, where it exfiltrates the data from the victim’s PC:
It downloads the “sqlx[1].dll” in C:UsersuserAppDataLocalMicrosoftWindowsINetCacheIEWO8CAGSI directory (‘WO8CAGSI‘ is a randomly generated directory name) which is a non-malicious sqlite3 binary, that implements a self-contained, serverless, zero-configuration, transactional SQL database engine to help with data harvesting and exfiltration:
The malware also initiates another communication request to the URL “https[:]//t[.]me/k0mono”, which is also found in the decoded content:
The response to this request contains another C2 address “https[:]//91.107.221.88[:]9000”:
All network communication occurs over a secure channel using TLS 1.2. Any attempt to intercept this communication results in the termination of the malicious process, accompanied by the error message “Certificate verify failed: self-signed certificate”:
The Exfiltration:
In the final stage, the malicious process begins collecting and exfiltrating data from the victim’s PC. This encompasses data from web browsers, including cookies, history, extensions, login data, session data, and cache. Additionally, it targets cryptocurrency wallets, sensitive files within user directories, and data from the Telegram app:
It also attempts to read system-specific directories (hiddenwith security descriptors in or system directory) such as $Recycle.Bin, $Windows.~BT, $SysReset using ReadFile operation where C:$Directory is the placeholder for a specific directory name:
The special NTFS metadata attribute associated with security decriptors in Windows is also accessed by the malware:
Additionally, it reads Jump Lists, which offer quick access to recently opened files, frequently used programs, and associated tasks:
It also reads the C:WindowsSystem32configSOFTWARE directory, which typically refers to a critical file within the Windows registry on a Windows system:
In addition to these, it also gathers data from the ProgramData folder, process explorer data, and network requests. All this data is compiled into a folder named C:ProgramDataHJJDGHCBGDHI with distinct file names:
To restrict access to the collected data solely to itself, the malware employs a technique of repeatedly locking and unlocking the files throughout its operation. Once it has gathered the targeted data from the compromised system, it exfiltrates it to the designated C2 server and subsequently deletes the gathered data to eradicate any traces of exfiltration:
Finally, the malicious process terminates itself after completing the exfiltration process:
Vidar-Stealer Capabilities
Analyzing the Vidar Stealer provides valuable insights into its operational characteristics. Based on this examination and the extracted data, the following points outline the capabilities of this information-stealing malware:
- Information Gathering: Vidar is adept at collecting a wide variety of sensitive information from infected systems, including browser data (cookies, history), cryptocurrency wallets, system-specific directories, process explorer data, and network requests.
- Data Exfiltration: Vidar exfiltrates collected data to command-and-control (C2) servers. This includes transmitting the stolen information over secure channels to ensure stealthy exfiltration.
- Evasion Techniques: Vidar employs various evasion techniques to avoid detection by security software. This includes checking the environment for debugger/analysis tools, self-signed certificates to detect network interception and using obfuscation methods to hide its malicious code.
- Process Injection: Utilizes process injection to target legit Windows process (RegAsm.exe).
- Social Media: Leverages social media platforms as part of its C2 Infrstructure to obtain details such as C2 IP address/URL, instructions, updates, and downloads. It also uses social media for the promotion and distribution of the malware.
- Collaboration with Other Malware: Vidar has been observed collaborating with other malware strains, such as STOP/Djvu ransomware. This collaboration results in a more comprehensive and devastating attack, leveraging multiple malware variants to maximize impact.
Conclusion
In conclusion, the analysis of Vidar Stealer provides valuable insights into the evolving landscape of cyber threats and the sophistication of modern malware. Vidar’s multifaceted capabilities, including information gathering, data exfiltration, evasion techniques, and collaboration with other malware strains, highlight the complex and dynamic nature of cyberattacks faced by organizations and individuals. Moreover, the malware’s utilization of social media platforms emphasizes the importance of monitoring diverse channels for early threat detection.
As cyber threats continue to evolve, it is imperative for organizations to adopt robust cybersecurity measures and proactive defense strategies to mitigate the risks posed by threats like Vidar Stealer. To reduce the risks associated with the Vidar Stealer, users should exercise caution when opening files from untrustworthy sources or clicking on unfamiliar links, particularly those offering questionable software or content. Furthermore, deploying robust cybersecurity measures, including utilizing reputable antivirus software, ensuring software is regularly updated, and staying vigilant against social engineering tactics, can significantly bolster protection against such threats.
It’s imperative for both platform providers and users to stay vigilant in detecting and reporting suspicious activities. Collaboration between cybersecurity professionals and platform administrators is crucial for promptly identifying and addressing such threats, leading to a safer online environment. Education and awareness campaigns are also vital in equipping individuals with the knowledge to recognize and evade such malware, ultimately fostering a more resilient and secure online ecosystem.
Indicators Of Compromise
S/N | Indicators | Type | Context |
1 | 7e74918f0790056546b862fa3e114c2a | File | installer.exe |
2 | fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc | File | installer.exe |
3 | 90e744829865d57082a7f452edc90de5 | File | sqlx[1].dll |
4 | 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550 | File | sqlx[1].dll |
5 | https[:]//steamcommunity[.]com/profiles/76561199686524322 | URL | C2 |
6 | https[:]//t[.]me/k0mono | URL | C2 |
7 | https[:]//65.108.55.55[:]9000 | URL | C2 |
8 | https[:]//91.107.221.88[:]9000 | URL | C2 |
9 | 65[.]108[.]55[.]55 | IP address | C2 |
10 | 91[.]107[.]221[.]88 | IP address | C2 |
MITRE ATT&CK Tactics and Techniques
No. | Tactic | Technique |
1 | Reconnaissance (TA0043) | T1592: Gather Victim Host Information |
2 | Execution (TA0002) | T1204.002: Malicious File |
3 | Privilege Escalation (TA0004) | T1055: Process Injection |
4 | Defense Evasion (TA0005) | T1622: Debugger Evasion |
T1497: Virtualization/Sandbox Evasion | ||
T1140: Deobfuscate/Decode Files or Information | ||
T1564.001: Hidden Files and Directories | ||
5 | Discovery (TA0007) | T1622: Debugger Evasion |
T1497: Virtualization/Sandbox Evasion | ||
T1083: File and Directory Discovery | ||
6 | Command and Control (TA0011) | T1071.001: Web Protocols |
7 | Exfiltration (TA0010) | T1041: Exfiltration Over C2 Channel |
YARA Rules:
rule vidar_stealer {
meta:
description = “YARA rule for detecting Vidar Stealer”
author = CRT
reference = “MD5: 7e74918f0790056546b862fa3e114c2a, SHA256: fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc, URLs: steamcommunity.com/profiles/76561199686524322, t.me/k0mono, IP: 65.108.55.55, IP: 91.107.221.88”
strings:
$md5_hash = “7e74918f0790056546b862fa3e114c2a”
$sha256_hash = “fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc”
$steam_url = “steamcommunity.com/profiles/76561199686524322”
$telegram_url = “t.me/k0mono”
$c2_url1 = “65.108.55.55”
$c2_url2 = “91.107.221.88”
condition:
$md5_hash or $sha256_hash or $steam_url or $telegram_url or $c2_url1 or $c2_url2 }
Recommendations
- Implement threat intelligence to proactively counter the threats associated with the Vidar Stealer.
- To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection such as an anti-malware security suit and host-based intrusion prevention system.
- Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
- Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Vidar Stealer command and control servers.
- Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
- Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
- Conducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the security by finding the security loopholes followed by a remediation process.
- The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
- Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
- Security awareness and training programs help to protect from security incidents such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by Vidar Stealer malware.
- Update security patches which can reduce the risk of potential compromise.
Source: Original Post