TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | EducationTARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 | 2915b3f8b703eb744fc54c81f4a9c67f | 2.2.2.2CVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2024-21893 | CVE-2024-21412 | CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1083 | T1190 | T1486TACTICS -> TA0011 | TA0007 | TA0010 | TA577 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | VoltTyphoon | Lazarus | MidnightBlizzardMALWARE -> CobaltStrike | Lockbit | Mirai | Xmrig | DarkgateSOURCES -> Darkreading | Bleepingcomputer | The Hacker News | The Cyber Express | Infosecurity Magazine
Cyble-Vidar-Malware-Under-The-Lens

Vidar Stealer Under the Lens: A Deep-dive Analysis

Vidar malware family can steal banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets.
Odin ad

Threat Actors (TAs) are increasingly using stealer malware to steal credentials from victims’ devices. The Vidar malware family, which was first identified in 2018, is capable of stealing sensitive data from the victim’s PC. This includes banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets, which can then be transferred to the TAs Command and Control (C&C).

Cyble Research Labs has gathered the latest variant of the Vidar Stealer sample to study its behavior and the techniques used for infection. We identified that the TAs use delivery mechanisms such as spam mail, cracked software, keygens, etc. to distribute this malware.

The Vidar stealer malware’s high-level execution flow is shown in the diagram below. The malware connects to the TAs “mas.to!” channel to get the C&C IP address. The malware downloads configuration data from the C&C and other payloads/modules to extract credentials from the victim’s device and perform data exfiltration.

Cyble Vidar High Level Execution Flow Diagram of the Malware
Figure 1 High-Level Execution Flow Diagram of the malware

Technical Analysis 

Cyble Research Labs performed the static analysis of the sample and found that the malware is x86 architecture Windows binary written in C/C++ and compiled on 2021-11-10 10:44:29.

Cyble Vidar Static Information of the Malware
Figure 2 Static Information of the Malware 

During the initial execution of the malware, Cyble Research Labs identified that the malware tries to communicate to a hxxp://mas[.]to/@oleg98 domain as shown in the below figure.

Cyble Vidar Traffic Analysis of the Malware
Figure 3 Traffic Analysis of the Malware 

Upon further analysis, we found that the malware tries to retrieve the C&C IP 65.100.80.190 via the user ID “oleg98” on mas.to! channel through hxxp://mas[.]to/@oleg98 as shown below.

Cyble Vidar TAs mas.to channel
Figure 4 TA’s mas.to! channel 

 The figure below shows the process tree created by the malware.

Cyble Vidar Process Tree Created by the Malware
Figure 5 Process Tree Created by the malware

After the data has been exfiltrated, the stealer removes itself by removing malware binaries and data files. The below command is executed to perform the self-delete activity. 

C:\Windows\System32\cmd.exe” /c taskkill /im Devil.exe /f & timeout /t 6 & del /f /q “C:\Users\MalWorkstation\Desktop\Malware.exe” & del C:\ProgramData\*.dll & exit

Code Analysis and Debugging 

Cyble Research Labs found that the malware was packed using customized packing techniques during our initial code analysis. The figure below shows that the malware has created a new binary in the newly allocated memory where the unpacked binary exists.

Cyble Vidar Malware Unpacking
Figure 6.  Malware Unpacking

As shown in the below figure, after execution, the malware obtains the C&C IP address 65[.]108[.]80[.]90 from mas.to!.

Cyble Vidar CC IP Address
Figure 7 C&C IP Address

The image below shows that the malware sends the victim machine’s unique ID and receives configuration data to the victim’s device from the C&C.  

Cyble Vidar Configuration Data Received from CC
Figure 8 Configuration Data Received from C&C

The configuration data contains the values which the stealer uses to get the following details. 

ConfigurationDescription
1Set values for malware to steal Saved Credentials, Cookies, Browser History set, etc.
Default Name of the profile used to collect data
50Size in KB
Table 1 Configuration data present in the table

The image below shows that the malware has hardcoded values that contain details of targeted applications and data extraction information.

Cyble Vidar Hardcoded Values
Figure 9 Hardcoded Values

The hardcoded values contain the following details that are shown below. 

ConfigurationDescription
Targeted BrowsersOpera, Mozilla Firefox, Chrome, Brave, etc.
Data StealsCredentials, History, Cookies
Wallets Enumerating various Cryptocurrency Wallets
Other Software’s DetailsFiles Sharing and Communication Softwares
User DetailsUser Geolocation, System Language
Table 2 Final Configuration Data

The image below shows the traffic analysis of the stealer’s GET request that downloads additional modules to extract credentials.

Cyble Vidar Additional Payload Download from CC
Figure 10 Additional Payload Download from C&C

The other modules which the malware downloads to extract the credentials are shown in the table below.

List of Files Used for Data Extraction
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
cnruntime140.dll
Table 3 List of Files

The figure below showcases that the Vidar stealer malware creates these files to store the data that is being stolen during the infection.

Cyble Vidar File Creation
Figure 11 File Creation

Once the credential extraction is done, the stealer, in our case, creates a ZIP file with the name 5d202e6e-b33a-48-*.zip in the victim’s machine and stores the victim’s credentials. It then sends these credentials to the attacker’s C&C as shown below.

Cyble Vidar Malware Sends the Victims Details to the TAs CC
Figure 12 Malware Sends the Victims Details to the TAs C&C  

In the below figure, we observed the data that the malware sends to the C&C. 

Cyble Vidar Content Received from the Malware
Figure 13 Content Received from the Malware 

The below image showcases the type of information collected by the malware, such as Machine ID, Malware Path, Hardware Details, Processes, and Software currently running on the machine.

Cyble Vidar Machine Details Collection
Figure 14  Machine Details Collection

Conclusion  

Threat Actors have used similar malware to steal sensitive data from the victim devices. Currently, we are observing stealer malware becoming increasingly active across the world. The primary vectors for spreading this malware are via pirated software and targeted phishing campaigns. 

Cyble Research Labs previously observed and reported stealer activity aimed at organizational employees to steal their credentials. 

Cyble Research Labs will continue to monitor emerging threats and targeted cyber-attacks. 

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Don’t keep important files at common locations such as the Desktop, My Documents etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1566 Phishing 
Execution T1204 User Execution 
Credential Access T1555 
T1539 
T1552 		Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
Collection T1113 Screen Capture 
Discovery T1087 
T1518 
T1057 
T1007 
T1614 		Account Discovery 
Software Discovery 
Process Discovery 
System Service Discovery 
System Location Discovery 
Command and Control T1095 Non-Application Layer Protocol 
Exfiltration T1041 Exfiltration Over C&C Channel  

Indicators of Compromise (IoCs):  

Indicators Indicator type Description 
c40c62b978908e0f5112eee4ae7370fb9c4cc1ed7c90a171be89f6fd8c10b376 SHA-256 Vidar Stealer 
@oleg98@mas.toChannel Name Mas.to! Bot ID for getting the C&C URL 
hxxp[:]//65.100.80[.]190C&C C&C URL 

About Us  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

Share the Post:

Related Posts

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top