Analysis of Info-Leaking Feature of Info-Stealer Malware Vidar

Vidar is an info-stealer malware with the feature of leaking personal information. Although it is not included in the Top 5 of the weekly statistics shown below, it has constantly been included in the statistics. And considering the fact that it used to be included in the Top 5 for some time, its distribution rate may increase in the future.

The number of files distributed over the last 1 month is shown in the table below. All the files were distributed with the filename “build.exe,” and they all existed within the installer file disguised as KMSAuto (for Windows genuine product validation).

Distribution method is the same as the cases mentioned in the previous ASEC blog posts, and this post will introduce its info-leaking features and the targets in detail.

Vidar, unlike other typical info-stealer malware, does not only targets user account info on web browser and email client, but also targets various info such as web browser cookie, AutoFill, credit card number, as well as files that exist within the user PC.

Vidar first downloads normal DLLs that have necessary features implemented for info leaking from the C&C server to C:\Program Data\ file path. The DLLs are as follow:

• Freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll

And the following are the DLL download URLs:

– http://gratyna[.]com/freebl3.dll

– http://gratyna[.]com/mozglue.dll

– http://gratyna[.]com/msvcp140.dll

– http://gratyna[.]com/nss3.dll

– http://gratyna[.]com/softokn3.dll

– http://gratyna[.]com/vcruntime140.dll

Upon requesting to C&C server, Vidar receives the following info-leaking settings as a response from the C&C server. The following is the URL that is used upon request.

– http://gratyana[.]com/237

Among the responses from C&C server, frontal values that consist of 1 and 0 decide whether the specific info-leaking feature will be enabled/disabled. Not all of the 10 items are used; only 6 items are parsed and distinguished in order shown below:

• 2: Autofill, Cookie, CreditCard
• 3: History, Downloads History
• 4: Coin wallet address
• 7: Telegram
• 8: Screenshot
• 9: File leak

Other than these, user account info of applications and various info of the infected system always become the subject of information leakage regardless of the settings.

After information leakage, it saves the result in a form of a text file and saves it in the following file paths:

C\ProgramData\[Random]\

…. \files\

…. \files\Autofill\

…. \files\CC\

…. \files\Cookies\

…. \files\Downloads\

…. \files\History\

…. \files\Soft\

…. \files\Telegram\

…. \files\Wallets\

…. \files\Files\

…….. passwords.txt

…….. information.txt

…….. outlook.txt

…….. screenshot.jpg

…….. cookie_list.txt

[User account info]

First, we will go through passwords.txt file and outlook.txt file where user account info of application programs is stored. Note that excluding Outlook which the account info is saved in outlook.txt, account info of all other application programs is saved in passwords.txt.

Firefox-based web browser

For Firefox-based web browsers, files that contain account info (signons.sqlite file for older version and logins.json for new version) become the target. As signons.sqlite file exists as sqlite format, the sql query shown below is used to extract account info.

> SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

In the latest version, it exists in a form of a text in logins.json file. Afterward, the collected account info is decrypted using functions of nss3.dll. Then, a decrypted account info is saved in \files\passwords.txt file.

The targeted Firefox-based web browsers (excluding Firefox) are as follow:

– Pale Moon, Waterfox, Cyberfox, BlackHawk, icecat, K-Meleon

Chromium-based web browser

There is an implemented routine that extracts account info from both old chrome versions and versions after 80 which require a master key existing within the Local State file.

Since this file’s format is also sqlite, it uses the following SQL query:

> SELECT action_url, username_value, password_value FROM logins

The targeted Chromium-based web browsers (excluding Chrome) are as follow:

– Chromium, Kometa, Amigo, Torch, Orbitum, Uran, QIP Surf, Cent Browser, Elements Browser, Torbro Browser, Suhba, Chedot, Edge, Opera

Internet Explorer/Edge

There is an account info extraction routine that uses Vault to target IE and Edge.

Thunderbird email client

For Thunderbird email client, the same routine used in Mozilla Firefox is used.

Outlook

Unlike other programs in which the extracted account info is saved in \files\passwords.txt, Outlook account info is saved in \files\outlook.txt file.

It imports registry values that exist in 7 registry keys from 00000003 to 00000009, and for the password which is encoded and saved, it uses CryptUnprotectData() API to decode and save.

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

~

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000009

Misc.

FTP client such as WinSCP and FileZilla as well as Pidgin instant messenger become the target of account info leakage.

[Web browser misc info]

Cookie

For cookie, the extracted info is saved in \files\Cookies\ folder as a text file. For example, info from Internet Explorer is saved in IE_Cookies.txt file, and info from Edge is saved in Edge_Cookies.txt file.

Cookie info-leaking is executed in IE, Edge, Firefox-based, and Chromium-based web browsers. And some can also be excluded from info leaking targets according to commands from C&C server.

Internet Explorer

*.txt files within \AppData\Roaming\Microsoft\Windows\Cookies\Low\ folder is read, necessary info is parsed, and the info is saved in the \files\Cookies\IE_Cookies.txt file.

Edge

Reads *.cookie files and *.txt files within \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\ and saves them to file path \files\Cookies\Edge_Cookies.txt.

Firefox-based web browser

If Firefox is the target, the information is included in cookies.sqlite file, which is in file path such as \AppData\Roaming\Mozilla\Firefox\Profiles\a7obrt24.default-release\. Since this file is in sqlite format, the malware extract info using the SQL query below.

> SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

Note that in this case, a file with name such as \files\Cookies\cookies_Mozilla Firefox_a7obrt24.default-release.txt is created.

Chromium-based web browser

If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\Cookies file. Since this file is in sqlite format, the malware extract info using the SQL query below.

> SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

For Chrome, \files\Cookies\Google Chrome_Default.txt file is created.

[History, Download]

For history, extracted info is saved in \files\History\ folder, and for download history, it is saved in \files\Downloads\ folder as a text file.

History information leakage is executed in Firefox-based, Chromium-based web browsers, and Download history information leakage is executed in Chromium-based web browsers. Some can also be excluded from info leaking targets according to commands from C&C server.

Firefox-based web browser

If Firefox is the target, the information is included in \AppData\Roaming\Mozilla\Firefox\Profiles\a7obrt24.default-release\places.sqlite file. Since this file is in sqlite format, the malware extracts history info using the SQL query below.

> SELECT url FROM moz_places

Chromium-based web browser

If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\History file. Since this file is in sqlite format, the malware extract info using the SQL query.

– History  >  SELECT url, title from urls

– Downloads history  >  SELECT target_path, tab_url from downloads

[AutoFill, CreditCard]

For AutoFill, the extracted info is saved in \files\Autofill\ folder, and for CreditCard, extracted info is saved in the \files\CC\ folder as a text file.

Info leaking against these items targets Chromium-based web browsers. And some can also be excluded from info leaking targets according to commands from C&C server.

If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\Web Data file. Since this file is in sqlite format, the malware extract info using the SQL query.

– Autofill  >  SELECT name, value, value_lower FROM autofill

– CreditCard  >  SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

[Info leaking against other programs]

Telegram

For Telegram, it copies the target files to \files\Telegram\ folder. Files that start with map in \AppData\Roaming\Telegram Desktop\tdata\D877F783D5D3EF8C\ file path, and D877F783D5D3EF8C0 file and D877F783D5D3EF8C1 file of \AppData\Roaming\Telegram Desktop\tdata\ file path are the targets of information leakage. These files are the methods of stealing session from the PC version of Telegram.

Coin wallet files

For coin wallet files, the target files are copied to the \files\Wallets\ folder. Using Electrum as an example, the wallet file is \AppData\Roaming\Electrum\wallets\default_wallet, and this file is copied.

The targeted coin wallets are as follow:

– Ethereum, Electrum, ElectrumLTC, Exodus, ElectronCash, MultiDoge, JAXX, Atomic

Authy Desktop

For Authy Desktop authentication program, \AppData\Roaming\Authy Desktop\Local Storage\*.localstorage files are copied to the files\Soft\Authy folder.

[File leak]

Vidar has a feature of leaking settings info of the application programs that contain account info, as well as a feature of directly leaking the file itself to the C&C server.

Among the settings strings received from the C&C server, there are following sections behind the option of enabling/disabling the info leaking feature. These are: folder name that will be saved in the \files\Files\ folder, file path, filename of the leakage target, file size condition, and separator.

Desktop;

  %DESKTOP%\;

  *.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*.kdbx;

  50;

  true;movies:music:mp3;

Documents;

  %DOCUMENTS%\;

  *.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*.kdbx;

  50;

  true;movies:music:mp3;

Authy;

  %APPDATA%\Authy Desktop\;

  *.*;

  4000;

  true;movies:music:mp3;

Desktop will be used as an example for explanation. Vidar first creates the \files\Files\Desktop\ folder, includes “*.txt” files (text files) and “.wallet” (wallet files), and copies the files that include the following strings to the name. That file path is desktop (%DESKTOP%), and the condition is files with a size of 50KB or less. Then, it compresses this Desktop folder as a zip file. Lastly, as a separator (true;movies:music:mp3), it proceeds to separate Desktop and Documents (file leakage target).

– Leakage file save path: Desktop;

– Leakage target file path: %DESKTOP%\;

– Leakage target filename: *.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*.kdbx;

– Leakage file max size (KB): 50;

– Separator: true;movies:music:mp3;

According to the C&C server command, files below file size of 50KB from desktop directory, document directory, and file path %APPDATA%\Authy Desktop\ are leaked to the C&C server.

[Screenshot]

Among the settings received from the C&C server, 8th item (screenshot feature) is set to 0 (disable). If this feature is enabled, the malware takes a screenshot of the current screen and saves it as \files\screenshot.jpg file.

[System info]

Lastly, it saves various system info into \files\information.txt file. Note that for [Network] item, it saves the info based on the result acquired from http://ip-api.com/line/. The following items are saved in the Information.txt file:

– Basic: Version, Date, MachineID, GUID, HWID, Path, Work Dir, Windows, Computer Name, User Name, Display Resolution, Display Language, Keyboard Languages, Local Time, TimeZone

– Hardware: Processor, CPU Count, RAM, VideoCard

– Network: IP, Country, City, ZIP, Coordinates, ISP

– Processes: List of processes that are being run

– Software: List of installed software

Extracted info are compressed to a zip file and sent to the C&C server. The URL is as follows:

– http://gratyana[.]com/

Once sent, the URL for additional malware download can be received from the C&C server as a response. In the current environment, download is not proceeded normally due to “OK” string being sent instead of URL (see above), but if the response is a malware download URL, it downloads the malware to the file path C\ProgramData\[Random].exe and runs it. This means that Vidar has a downloader feature as well as an info-stealer feature.

Vidar deletes itself after fulfilling its purpose as an info-leaker and a downloader in the end.

> “C:\Windows\System32\cmd.exe” /c taskkill /im 1.exe /f & erase [Vidar file path] & exit

Users should refrain from opening the attachment file in a suspicious email, try using genuine software at all times, and try not to use suspicious websites and P2P. Also, updating V3 to the latest version regularly is also important to prevent malware infection.

AhnLab’s anti-malware software V3 detects the malware using the following aliases:

[File Detection]
– Trojan/Win32.MalPe.R350320 (2020.09.05.05)

[Behavior Detection]
– Malware/MDP.SystemManipulation.M2040

[Relevant IOC Info]

C2
– http://gratyana[.]com

HASH
– 107aec31f2f3b9d4cbd1545f69504136