Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.
The link below is a post about a case where malicious behaviors were performed using Mastodon.
Even afterward, Vidar saw continuous version updates while actively being distributed. In the recent samples in circulation, various other platforms such as Steam and TikTok were used aside from Telegram and Mastodon. In this blog post, we aim to cover the details of these cases.
When a user creates an account on an online platform, a unique account page that can be accessed by anyone is generated. Threat actors write identifying characters and the C2 address in parts of this page.
When the malware is executed, it accesses the threat actor’s account page to search for the identifier string and find the C2 address. Then, it performs malicious behaviors while communicating with this C2 server.
Such public platform URLs are difficult to block with security solutions. Even if the threat actor’s C2 server is blocked, opening a new C2 server and editing the account page will allow all previously distributed malware to communicate with the new C2 server.
The exploited services share a common trait, which is the fact that it is comparatively easy to create an account on these platforms. The following is a page that was recently abused by Vidar.
The last screenshot is the threat actor’s account on Ultimate Guitar. Multiple samples exploiting this platform have been collected, but unfortunately, we could not secure a screenshot with the actual C2 information. The C2 address connected during the collection was 116.202.2[.]1/1707.
Upon execution, the strings used in its behaviors are decrypted. While it is in a simple XOR format, there are multiple garbage codes that execute string-modifying functions with the dummy text “Lorum ipsum” as the argument. The strings and functions used differ slightly with each sample. This is deemed to be for the purpose of implementing changes to the read-only data area or making it difficult to find the string that identifies the malware on the process memory.
The computer name and username are checked. If they are found to be “HAL9TH” and “JohnDoe” respectively, the malware ceases to function and shuts down immediately. These are the names known to be used by Windows Defender Emulator, and this code seems to serve the purpose of bypassing this feature.
After the above preliminary processes are complete, the malware attempts to connect to the threat actor’s account page to download the C2 address. Samples that are currently in distribution include two types of platform account addresses and one actual C2 server URL each. These URLs are hard-coded in the binary and connection attempts are made in order until the actual C2 address is successfully found.
The malware searches the account page’s source for the identifier. The string from the character after the identifier to the character before “|” becomes the C2, and the identifier is different for each sample and is hard-coded like the C2 address. The identifier in this sample is “disqo” and the C2 address is 126.96.36.199.
During the initial connection to the C2 server, the information (settings) data on malicious behaviors is received, then various library files needed for these behaviors are downloaded. In the past, each file was downloaded separately, but the recently-distributed samples mostly download these files in a compressed file format before unpacking them in the memory area and using them.
The C2 response value includes the activation status of certain features, token values, the target directory, and file extensions. This shows that no drastic changes have been made to the past versions, so the previous blog post is sure to provide sufficient information regarding this. The hex value added in the middle of the function settings flag is a random token value assigned by the C2.
The behavior changes according to the C2’s settings response, but various information can be targeted for extortion, including browser data (account, password, history, cookies, etc.), cryptocurrency wallets, document files (file extensions defined by the threat actor), screenshot images, and system information.
After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server. There is a slight difference from past versions in the process of sending the data to the C2 server.
While previous samples sent the compressed file data in plain text, recent samples send these after encoding them in Base64. Additionally, the HTTP data in transmission became simplified in the recent version. The version information of the malware was also omitted, and the malware’s version can only be identified by checking the information.txt file in the compressed file or by checking the hard-coded value in the binary.
There is also a newly-added feature, where the malware receives a random token value as a reply during the initial C2 connection, when the extorted information is sent, it transmits this value as a “token.” This is deemed to be for verifying the infected PC and the extorted information.
Out of the data stated in the extorted information files, there was also a slight change to the date format and the method of creating the HWID. According to this file, the version of the recently distributed sample is 56.1.
As Vidar uses famous platforms as the intermediary C2, it has a long lifespan. A threat actor’s account created six months ago is still being maintained and continuously updated. Users must practice caution because Vidar is actively being distributed under the disguise of software or cracks.
AhnLab’s diagnosis for the malware as follows.
- Trojan/Win.Injection.C5318441 (2022.12.01.02)
- Infostealer/Win.Vidar.C5317169 (2022.12.13.01)
- Infostealer/Win.Vidar.C533928 (2022.11.11.01)
- Infostealer/Win.Vidar.C5308808 (2022.11.19.00)
- Infostealer/Win.Generic.C5308804 (2022.11.19.00) and more
ce1eb73f52efe56356ee21b9c4c4c6c4 and more
- Threat Actor’s Account URL
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.