Tue, Sep 3, 2019
Malware Analysis: Vidar Version 4.5
The malware analysis team in Kroll’s Cyber Risk practice has observed an updated version of the Vidar malware – version 4.5 – present and active when recently working with a client to investigate suspicious activity within their network. Vidar, which originally became active in late 2018, is a family of malware that operates primarily as an information stealer and is often observed as a precursor to ransomware deployment. It enables the capture and exfiltration of data from a system, including system information, browser data, and credentials1.
Predominantly spread through “malvertising”, i.e., victims click on infected ads on websites. Legitimate websites may have been compromised or the websites may be known for running suspect content.
While Kroll has identified available embedded functionality in the malware, our analysis and open-source intelligence-gathering indicates the malware receives dynamic instruction (i.e., a configuration file) from its command-and-control (“C2”) domain that tells it the specific data to capture and steal.
Kroll is aware of the following data-scraping capabilities by the Vidar family:
Vidar’s targeting of 2FA data is especially problematic as many organizations may have a false sense of security that this measure is adequately protecting their networks.
|Startup & Persistence||
The malware has been observed, upon execution, to send an HTTP POST request to the C2 hxxp://malansio[.]com2. It first connects to the page hxxp://malansio[.]com/169 and then retrieves a list of dynamic link libraries (“DLL”) via HTTP GET requests:
After these downloads, the malware begins its collection and exfiltration functionality. It has been observed communicating with the page hxxp://malansio[.]com/. Based upon Kroll’s analysis to date, the malware does not have an embedded persistence mechanism – if it does not successfully establish connectivity with its C2 domain, the executable deletes itself.
Upon execution, the malware collects system information as well as other available sensitive data. In Kroll’s dynamic analysis, the malware generates a new randomly named folder under C:\ProgramData and aggregates the following data in a file named information.txt:
Additionally, the malware generates three additional files in this location:
1. More in-depth open-source intelligence on Vidar can be found at https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/
2. URLs in this analysis have been defanged to prevent accidental hyperlinking
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
24x7 Incident Response
Enlist experienced responders to handle the entire security incident lifecycle.