Tue, Sep 3, 2019
Malware Analysis: Vidar Version 4.5
The malware analysis team in Kroll’s Cyber Risk practice has observed an updated version of the Vidar malware – version 4.5 – present and active when recently working with a client to investigate suspicious activity within their network. Vidar, which originally became active in late 2018, is a family of malware that operates primarily as an information stealer and is often observed as a precursor to ransomware deployment. It enables the capture and exfiltration of data from a system, including system information, browser data, and credentials1.
Attack Vector |
Predominantly spread through “malvertising”, i.e., victims click on infected ads on websites. Legitimate websites may have been compromised or the websites may be known for running suspect content. |
Targeted Data |
While Kroll has identified available embedded functionality in the malware, our analysis and open-source intelligence-gathering indicates the malware receives dynamic instruction (i.e., a configuration file) from its command-and-control (“C2”) domain that tells it the specific data to capture and steal. Kroll is aware of the following data-scraping capabilities by the Vidar family:
Vidar’s targeting of 2FA data is especially problematic as many organizations may have a false sense of security that this measure is adequately protecting their networks. |
Startup & Persistence |
The malware has been observed, upon execution, to send an HTTP POST request to the C2 hxxp://malansio[.]com2. It first connects to the page hxxp://malansio[.]com/169 and then retrieves a list of dynamic link libraries (“DLL”) via HTTP GET requests:
After these downloads, the malware begins its collection and exfiltration functionality. It has been observed communicating with the page hxxp://malansio[.]com/. Based upon Kroll’s analysis to date, the malware does not have an embedded persistence mechanism – if it does not successfully establish connectivity with its C2 domain, the executable deletes itself. |
Functionality |
Upon execution, the malware collects system information as well as other available sensitive data. In Kroll’s dynamic analysis, the malware generates a new randomly named folder under C:\ProgramData and aggregates the following data in a file named information.txt:
Additionally, the malware generates three additional files in this location:
|
Preemptive Recommendations |
|
Sources
1. More in-depth open-source intelligence on Vidar can be found at https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/
2. URLs in this analysis have been defanged to prevent accidental hyperlinking