Malware Analysis: Vidar Version 4.5

Predominantly spread through “malvertising”, i.e., victims click on infected ads on websites. Legitimate websites may have been compromised or the websites may be known for running suspect content. 

While Kroll has identified available embedded functionality in the malware, our analysis and open-source intelligence-gathering indicates the malware receives dynamic instruction (i.e., a configuration file) from its command-and-control (“C2”) domain that tells it the specific data to capture and steal. 

Kroll is aware of the following data-scraping capabilities by the Vidar family:

• Browser data, including auto-fill, cookies, credit cards, download history, and browsing history
• Two-factor authentication (“2FA”) data
• Telegram messages
• Cryptomining wallets
• A screenshot of the victim system

Vidar’s targeting of 2FA data is especially problematic as many organizations may have a false sense of security that this measure is adequately protecting their networks.

The malware has been observed, upon execution, to send an HTTP POST request to the C2 hxxp://malansio[.]com². It first connects to the page hxxp://malansio[.]com/169 and then retrieves a list of dynamic link libraries (“DLL”) via HTTP GET requests:

• freebl3.dll
• vcruntime140.dll
• nss3.dll
• softokn3.dll
• mozglue.dll
• msvcp140.dll

After these downloads, the malware begins its collection and exfiltration functionality. It has been observed communicating with the page hxxp://malansio[.]com/. Based upon Kroll’s analysis to date, the malware does not have an embedded persistence mechanism – if it does not successfully establish connectivity with its C2 domain, the executable deletes itself.

Upon execution, the malware collects system information as well as other available sensitive data. In Kroll’s dynamic analysis, the malware generates a new randomly named folder under C:\ProgramData and aggregates the following data in a file named information.txt:

• Machine ID and GUID
• Path of malware executable and its working directory – This is a newly created directory under C:\ProgramData\ +{Random String}
• Operating system
• Computer name
• Current username
• Display resolution, language, and keyboard language
• Local time and time zone
• Hardware information – Processor, CPU count, RAM, video card
• Network information – This data is queried through ip-api [.] com/line/ where geolocation data is gathered about the victim system
• List of running processes
• An incomplete list of installed software (may be searching for specific programs)

Additionally, the malware generates three additional files in this location:

• Outlook.txt – May contain available email credentials from the system
• Password.txt – May contain available browser credentials from the system
• A ZIP file containing the collected data; this file is exfiltrated to the C2 domain

• Leverage a next-generation solution like Kroll CyberDetectER to both identify the presence of malware like Vidar as well as to prevent and contain malware before they present a risk to data within your environment
• Ensure antivirus solutions are current
• Deploy endpoint threat monitoring for rapid response, e.g. stop outbound connections
• Train staff on risks of clicking on ads, both on websites and within unsolicited emails
• Implement pop-up blockers and internet content filtering (e.g., URL white and blacklists) to prevent accidental or intentional visits to suspect sites