Threat Actors (TAs) are increasingly using stealer malware to steal credentials from victims’ devices. The Vidar malware family, which was first identified in 2018, is capable of stealing sensitive data from the victim’s PC. This includes banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets, which can then be transferred to the TAs Command and Control (C&C).
Cyble Research Labs has gathered the latest variant of the Vidar Stealer sample to study its behavior and the techniques used for infection. We identified that the TAs use delivery mechanisms such as spam mail, cracked software, keygens, etc. to distribute this malware.
Technical Analysis
Cyble Research Labs performed the static analysis of the sample and found that the malware is x86 architecture Windows binary written in C/C++ and compiled on 2021-11-10 10:44:29.
After the data has been exfiltrated, the stealer removes itself by removing malware binaries and data files. The below command is executed to perform the self-delete activity.
Code Analysis and Debugging
The image below shows that the malware sends the victim machine’s unique ID and receives configuration data to the victim’s device from the C&C.
50 | Size in KB |
The image below shows that the malware has hardcoded values that contain details of targeted applications and data extraction information.
The hardcoded values contain the following details that are shown below.
Data Steals | Credentials, History, Cookies |
Enumerating various Cryptocurrency Wallets | |
User Details | User Geolocation, System Language |
The image below shows the traffic analysis of the stealer’s GET request that downloads additional modules to extract credentials.
The other modules which the malware downloads to extract the credentials are shown in the table below.
List of Files Used for Data Extraction |
freebl3.dll |
mozglue.dll |
msvcp140.dll |
nss3.dll |
softokn3.dll |
cnruntime140.dll |
The figure below showcases that the Vidar stealer malware creates these files to store the data that is being stolen during the infection.
In the below figure, we observed the data that the malware sends to the C&C.
The below image showcases the type of information collected by the malware, such as Machine ID, Malware Path, Hardware Details, Processes, and Software currently running on the machine.
Conclusion
Cyble Research Labs previously observed and reported stealer activity aimed at organizational employees to steal their credentials.
Our Recommendations
Don’t keep important files at common locations such as the Desktop, My Documents etc. - Use strong passwords and enforce multi-factor authentication wherever possible.
Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without verifying their authenticity. Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
T1539 T1552 | Steal Web Session Cookie Unsecured Credentials | |
T1057 T1614 | Process Discovery | |
Indicators of Compromise (IoCs):
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.