Vidar is an info-stealer malware with the feature of leaking personal information. Although it is not included in the Top 5 of the weekly statistics shown below, it has constantly been included in the statistics. And considering the fact that it used to be included in the Top 5 for some time, its distribution rate may increase in the future.
The number of files distributed over the last 1 month is shown in the table below. All the files were distributed with the filename “build.exe,” and they all existed within the installer file disguised as KMSAuto (for Windows genuine product validation).
|Date||No. of distributed files||Date||No. of distributed files||Date||No. of distributed files||Date||No. of distributed files|
|August 8||4||August 16||0||August 24||0||September 1||3|
|August 9||2||August 17||2||August 25||3||September 2||1|
|August 10||3||August 18||2||August 26||1||September 3||7|
|August 11||1||August 19||2||August 27||3||September 4||4|
|August 12||1||August 20||4||August 28||2||September 5||5|
|August 13||4||August 21||4||August 29||3||September 6||2|
|August 14||5||August 22||1||August 30||0||September 7||4|
|August 15||2||August 23||4||August 31||2||September 8||2|
Distribution method is the same as the cases mentioned in the previous ASEC blog posts, and this post will introduce its info-leaking features and the targets in detail.
Vidar, unlike other typical info-stealer malware, does not only targets user account info on web browser and email client, but also targets various info such as web browser cookie, AutoFill, credit card number, as well as files that exist within the user PC.
Vidar first downloads normal DLLs that have necessary features implemented for info leaking from the C&C server to C:\Program Data\ file path. The DLLs are as follow:
- Freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, vcruntime140.dll
And the following are the DLL download URLs:
Upon requesting to C&C server, Vidar receives the following info-leaking settings as a response from the C&C server. The following is the URL that is used upon request.
|1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 250,|
Among the responses from C&C server, frontal values that consist of 1 and 0 decide whether the specific info-leaking feature will be enabled/disabled. Not all of the 10 items are used; only 6 items are parsed and distinguished in order shown below:
- 2: Autofill, Cookie, CreditCard
- 3: History, Downloads History
- 4: Coin wallet address
- 7: Telegram
- 8: Screenshot
- 9: File leak
Other than these, user account info of applications and various info of the infected system always become the subject of information leakage regardless of the settings.
After information leakage, it saves the result in a form of a text file and saves it in the following file paths:
[User account info]
First, we will go through passwords.txt file and outlook.txt file where user account info of application programs is stored. Note that excluding Outlook which the account info is saved in outlook.txt, account info of all other application programs is saved in passwords.txt.
Firefox-based web browser
For Firefox-based web browsers, files that contain account info (signons.sqlite file for older version and logins.json for new version) become the target. As signons.sqlite file exists as sqlite format, the sql query shown below is used to extract account info.
> SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
In the latest version, it exists in a form of a text in logins.json file. Afterward, the collected account info is decrypted using functions of nss3.dll. Then, a decrypted account info is saved in \files\passwords.txt file.
The targeted Firefox-based web browsers (excluding Firefox) are as follow:
– Pale Moon, Waterfox, Cyberfox, BlackHawk, icecat, K-Meleon
Chromium-based web browser
There is an implemented routine that extracts account info from both old chrome versions and versions after 80 which require a master key existing within the Local State file.
Since this file’s format is also sqlite, it uses the following SQL query:
> SELECT action_url, username_value, password_value FROM logins
The targeted Chromium-based web browsers (excluding Chrome) are as follow:
– Chromium, Kometa, Amigo, Torch, Orbitum, Uran, QIP Surf, Cent Browser, Elements Browser, Torbro Browser, Suhba, Chedot, Edge, Opera
There is an account info extraction routine that uses Vault to target IE and Edge.
Thunderbird email client
For Thunderbird email client, the same routine used in Mozilla Firefox is used.
Unlike other programs in which the extracted account info is saved in \files\passwords.txt, Outlook account info is saved in \files\outlook.txt file.
It imports registry values that exist in 7 registry keys from 00000003 to 00000009, and for the password which is encoded and saved, it uses CryptUnprotectData() API to decode and save.
– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000009
FTP client such as WinSCP and FileZilla as well as Pidgin instant messenger become the target of account info leakage.
[Web browser misc info]
For cookie, the extracted info is saved in \files\Cookies\ folder as a text file. For example, info from Internet Explorer is saved in IE_Cookies.txt file, and info from Edge is saved in Edge_Cookies.txt file.
Cookie info-leaking is executed in IE, Edge, Firefox-based, and Chromium-based web browsers. And some can also be excluded from info leaking targets according to commands from C&C server.
*.txt files within \AppData\Roaming\Microsoft\Windows\Cookies\Low\ folder is read, necessary info is parsed, and the info is saved in the \files\Cookies\IE_Cookies.txt file.
Reads *.cookie files and *.txt files within \AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\ and saves them to file path \files\Cookies\Edge_Cookies.txt.
Firefox-based web browser
If Firefox is the target, the information is included in cookies.sqlite file, which is in file path such as \AppData\Roaming\Mozilla\Firefox\Profiles\a7obrt24.default-release\. Since this file is in sqlite format, the malware extract info using the SQL query below.
> SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Note that in this case, a file with name such as \files\Cookies\cookies_Mozilla Firefox_a7obrt24.default-release.txt is created.
Chromium-based web browser
If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\Cookies file. Since this file is in sqlite format, the malware extract info using the SQL query below.
> SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
For Chrome, \files\Cookies\Google Chrome_Default.txt file is created.
For history, extracted info is saved in \files\History\ folder, and for download history, it is saved in \files\Downloads\ folder as a text file.
History information leakage is executed in Firefox-based, Chromium-based web browsers, and Download history information leakage is executed in Chromium-based web browsers. Some can also be excluded from info leaking targets according to commands from C&C server.
Firefox-based web browser
If Firefox is the target, the information is included in \AppData\Roaming\Mozilla\Firefox\Profiles\a7obrt24.default-release\places.sqlite file. Since this file is in sqlite format, the malware extracts history info using the SQL query below.
> SELECT url FROM moz_places
Chromium-based web browser
If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\History file. Since this file is in sqlite format, the malware extract info using the SQL query.
– History > SELECT url, title from urls
– Downloads history > SELECT target_path, tab_url from downloads
For AutoFill, the extracted info is saved in \files\Autofill\ folder, and for CreditCard, extracted info is saved in the \files\CC\ folder as a text file.
Info leaking against these items targets Chromium-based web browsers. And some can also be excluded from info leaking targets according to commands from C&C server.
If Chrome is the target, the information is included in \AppData\Local\Google\Chrome\User Data\Default\Web Data file. Since this file is in sqlite format, the malware extract info using the SQL query.
– Autofill > SELECT name, value, value_lower FROM autofill
– CreditCard > SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
[Info leaking against other programs]
For Telegram, it copies the target files to \files\Telegram\ folder. Files that start with map in \AppData\Roaming\Telegram Desktop\tdata\D877F783D5D3EF8C\ file path, and D877F783D5D3EF8C0 file and D877F783D5D3EF8C1 file of \AppData\Roaming\Telegram Desktop\tdata\ file path are the targets of information leakage. These files are the methods of stealing session from the PC version of Telegram.
Coin wallet files
For coin wallet files, the target files are copied to the \files\Wallets\ folder. Using Electrum as an example, the wallet file is \AppData\Roaming\Electrum\wallets\default_wallet, and this file is copied.
The targeted coin wallets are as follow:
– Ethereum, Electrum, ElectrumLTC, Exodus, ElectronCash, MultiDoge, JAXX, Atomic
For Authy Desktop authentication program, \AppData\Roaming\Authy Desktop\Local Storage\*.localstorage files are copied to the files\Soft\Authy folder.
Vidar has a feature of leaking settings info of the application programs that contain account info, as well as a feature of directly leaking the file itself to the C&C server.
Among the settings strings received from the C&C server, there are following sections behind the option of enabling/disabling the info leaking feature. These are: folder name that will be saved in the \files\Files\ folder, file path, filename of the leakage target, file size condition, and separator.
Desktop will be used as an example for explanation. Vidar first creates the \files\Files\Desktop\ folder, includes “*.txt” files (text files) and “.wallet” (wallet files), and copies the files that include the following strings to the name. That file path is desktop (%DESKTOP%), and the condition is files with a size of 50KB or less. Then, it compresses this Desktop folder as a zip file. Lastly, as a separator (true;movies:music:mp3), it proceeds to separate Desktop and Documents (file leakage target).
– Leakage file save path: Desktop;
– Leakage target file path: %DESKTOP%\;
– Leakage target filename: *.txt:*.dat:*wallet*.*:*2fa*.*:*backup*.*:*code*.*:*password*.*:*auth*.*:*google*.*:*utc*.*:*UTC*.*:*crypt*.*:*key*.*:*.kdbx;
– Leakage file max size (KB): 50;
– Separator: true;movies:music:mp3;
According to the C&C server command, files below file size of 50KB from desktop directory, document directory, and file path %APPDATA%\Authy Desktop\ are leaked to the C&C server.
Among the settings received from the C&C server, 8th item (screenshot feature) is set to 0 (disable). If this feature is enabled, the malware takes a screenshot of the current screen and saves it as \files\screenshot.jpg file.
Lastly, it saves various system info into \files\information.txt file. Note that for [Network] item, it saves the info based on the result acquired from http://ip-api.com/line/. The following items are saved in the Information.txt file:
– Basic: Version, Date, MachineID, GUID, HWID, Path, Work Dir, Windows, Computer Name, User Name, Display Resolution, Display Language, Keyboard Languages, Local Time, TimeZone
– Hardware: Processor, CPU Count, RAM, VideoCard
– Network: IP, Country, City, ZIP, Coordinates, ISP
– Processes: List of processes that are being run
– Software: List of installed software
Extracted info are compressed to a zip file and sent to the C&C server. The URL is as follows:
Once sent, the URL for additional malware download can be received from the C&C server as a response. In the current environment, download is not proceeded normally due to “OK” string being sent instead of URL (see above), but if the response is a malware download URL, it downloads the malware to the file path C\ProgramData\[Random].exe and runs it. This means that Vidar has a downloader feature as well as an info-stealer feature.
Vidar deletes itself after fulfilling its purpose as an info-leaker and a downloader in the end.
> “C:\Windows\System32\cmd.exe” /c taskkill /im 1.exe /f & erase [Vidar file path] & exit
Users should refrain from opening the attachment file in a suspicious email, try using genuine software at all times, and try not to use suspicious websites and P2P. Also, updating V3 to the latest version regularly is also important to prevent malware infection.
AhnLab’s anti-malware software V3 detects the malware using the following aliases:
– Trojan/Win32.MalPe.R350320 (2020.09.05.05)
[Relevant IOC Info]