Vidar Malware

Introduced in December 2018, Vidar is a family of malware and trojan horse virus that steals sensitive information and cryptocurrency from infected users. Presumed to have originated in Russia, Vidar is a family of malware that operates as an information stealer. Interestingly, the malware stops all execution upon detecting that it is operating on a system from an ex-USSR country or on a Russian keyboard layout.

Fact: Vidar malware is named after the God of Vengeance or “The Silent God” – Víðarr from Norse mythology. A play on how Vidar operates in stealth mode

How it infects?

Vidar malware is spread through ‘malvertising’ (malicious advertising) wherein, an unsuspecting user clicks on an infected advertisement on websites. Other forms include spam messages, phishing pages, pirated software, etc. The malware is observed to be a precursor to ransomware deployment enabling data exfiltration from the system, including system information, screenshots, crypto wallets, auto-fill credentials, personal information from text files, browser cookies, browser history, as well as data stored in Two-Factor Authentication (2FA) software.

Identification & Functionality

Upon execution, Vidar sends an HTTP POST request to the C2(Command and Control) hxxp://malansio[.]com. It first connects to the page hxxp://malansio[.]com/169 and then retrieves a list of dynamic link libraries (“DLL”) via HTTP GET requests:

  • freebl3.dll
  • vcruntime140.dll
  • nss3.dll
  • softokn3.dll
  • mozglue.dll
  • msvcp140.dll

The malware does not stop there. After the files have been downloaded, the malware has been observed to communicate with a configured command and control (C2) server. The malware does not contain any self-propagating code, thus, if the connection is not established, the executable deletes itself.

Fact: Vidar malware is a variant of the Arkei malware

Upon successful connection, the malware generates a new folder and encrypts user’s files in a .txt file containing:

  • Machine ID and GUID
  • Path of malware executable and its working directory – This is a newly created directory under C:\ProgramData\ +{Random String}
  • Operating system
  • Computer name
  • Current username
  • Display resolution, language, and keyboard language
  • Local time and time zone
  • Hardware information – Processor, CPU count, RAM, video card
  • Network information – This data is queried through ip-api [.] com/line/ where geolocation data is gathered about the victim system
  • List of running processes
  • An incomplete list of installed software (maybe searching for specific programs)

Additionally, the malware is known to generate three .txt files:

  • Outlook.txt – May contain available email credentials from the system
  • Password.txt – May contain available browser credentials from the system
  • A ZIP file containing the collected data; this file is exfiltrated to the C2 domain

How to secure yourself?

Vidar is a silent threat that goes undetected and is sold as malware-as-a-service. Apart from personal information, cryptocurrency users of Litecoin, Bitcoin, Ethereum, Zcash, and DashCore are in danger as the malware is known to steal digital coins from offline wallets as well.

Fact: Vidar is sold on the dark web for as low as $700 for the Pro version and is completely customizable by attackers.

To secure yourself from Vidar, here are a few security tips to follow:

  • Ensure your antivirus is up to date.
  • Deploy endpoint threat monitoring for rapid response, e.g. stop outbound connections.
  • Train your staff on the risks of clicking on ads, both on websites and within unsolicited emails.
  • Implement pop-up blockers and internet content filtering (e.g., URL white and blacklists) to prevent accidental or intentional visits to suspect sites.

Leave a Reply

Your email address will not be published. Required fields are marked *