Vidar Malware – What is Vidar Malware?

What is Vidar Malware?

Vidar malware acts as a data stealer by probing FTP clients like WinSCP and FileZilla as well as email clients like Mozilla Thunderbird and Pidgin for data. Furthermore, this malware can steal login credentials from browsers (Chrome and Opera) as well as autofill forms.

Vidar spreads via email spam, cracked software and keygen downloads, while communicating with a C&C server which switches frequently making it hard for security teams to block it.

What is Vidar?

Vidar is a stealer-type malware designed to penetrate computers and extract various types of sensitive information – passwords, account credentials, crypto wallet login details, software and hardware data, among other types – before sending it back to its command and control server. Vidar can be distributed using various tactics including email phishing campaigns and cracked versions of commercial applications like Notepad++ and AnyDesk which contain keygens designed specifically to deliver it.

Once downloaded, this malicious program will access a range of resources on an infected device, including Windows Registry files, processes and hardware configurations. It also collects information from web browsers including autofill values, bookmarks and histories before acting as cryptocurrency wallet thief to steal digital coins such as Litecoin, Bitcoin Ethereum Zcash DashCore etc.

Vidar may send most of this data via GET requests, though it has also been reported that Vidar communicates with its C&C server using hard-coded domain names. Reportedly, however, Vidar now engages in communication with a continuously rotating set of servers.

Vidar stealer may possess sophisticated capabilities, yet can still be detected and prevented with basic cybersecurity practices. Avoiding suspicious email attachments, downloading only authenticated versions of legitimate software and forgoing gaming hacking tools can significantly lower the chance of infection with Vidar or any other form of malware.

An effective password can provide the best protection from cyber attacks. By making passwords long, complex, and random it can make it harder for hackers to crack them and access accounts containing sensitive data.

Once the malware has collected all the desired data, it will compress it into a zipped archive containing stolen files along with their size and location information, date/time when extracted as well as details about host computer such as OS version, CPU type, BIOS date, usernames, display resolution/language settings/keyboard languages settings as well as local time zone/date zone etc.

Once compressed, the file will be sent to an attacker’s C&C server where it will be decoded using an XOR algorithm and allocated from ZIP archives using VirtualAlloc() Windows API function.

How is Vidar spread?

Vidar Stealer malware is distributed by cyber criminals who utilize phishing emails to socially engineer victims into installing it. Phishing emails often feature themes related to popular software applications; employing security tools for inspecting files attached to these emails may help organizations detect and prevent this type of criminal activity.

As soon as malware is installed on a victim’s computer, it begins recording and stealing sensitive data, such as IP addresses, browsing history (including from Tor browsers), cryptocurrency wallets, saved passwords, messages from messenger software as well as screenshots taken with their device microphone and audio recordings made directly by them.

Vidar not only steals data, but it can also download and execute other types of malware. It has been used by criminals to distribute other infostealers like Qbot banking trojan and Lokibot commodity trojan; as a dropper for ransomware such as GandCrab ransomware; in fact EclecticIQ researchers have witnessed multiple instances in which ransomware groups use Vidar as part of their distribution strategy.

Vidar can be spread via exploit kits like Fallout or through other methods, usually hiding within Microsoft Compiled HTML Help files – an HTML format for help documentation that victims often overlook when browsing their computers.

Once a victim opens the file, a series of malicious events will begin in order to steal sensitive data from their host machine. First, it will scan for FTP clients such as WinSCP and FileZilla FTP clients as well as Pidgin; it will then harvest login credentials from these programs before extracting data from autofill forms and web browser sessions before saving all that information in C:ProgramData folder and sending to its C&C server in ZIP format.

To protect themselves against Vidar infostealer, enterprises should train employees to be wary of email attachments and avoid downloading cracked copies of popular software applications. Furthermore, organizations should install security solutions with sandboxing capabilities for better detection; and finally they should implement multilayered cloud security solutions so their systems are shielded against known exploits.

What is Vidar’s main function?

Vidar is a stealer-type malware that stealthily gathers an extensive amount of data from infected computers, including saved passwords, IP addresses, browsing history, crypto-wallets, and any other potentially sensitive data. Once collected it is sent back to its Command and Control (C2) server where it will remain until removed by antivirus programs or another means.

As well as collecting data, the stealer is also known to infiltrate systems with other types of malware such as trojans and ransomware – GANDCRAB 5.0.4 ransomware being one such example.

Threat actors behind this malware family are targeting users worldwide – this includes countries in the Commonwealth of Independent States (CIS). Furthermore, its C2 domain constantly changes and thus makes blocking its activity difficult for security teams.

Infostealer programs typically arrive as.exe files, making them difficult for anti-virus solutions to identify. Furthermore, their code often bypasses string encoding and encryption algorithms used by modern antivirus tools.

Not only does the malware steal account credentials, it also monitors applications installed on infected machines – such as SMTP, WordPress, WinSCP and popular chat app Telegram – as well as 2FA tokens from Authy 2FA services. Once stolen information has been captured by the malware it is sent back to a central C2 server for storage and further use by attackers.

Vidar’s primary purpose is to collect sensitive data and transmit it back to its C2 server, performing various functions such as retrieving web browser history, cryptocurrency wallets, IP address details and hardware specifications; gathering running processes data as well as keyboard and display languages information.

Once collected, data is uploaded to the malware’s C2 server via an HTTP POST request. While some information gathered is predefined within it, others can be customized by threat actors for maximum efficiency.

As part of your defense against Vidar malware, the key steps you can take include changing login credentials and keeping a close watch over financial accounts. Furthermore, ensure your systems have all of the latest security patches applied and implement an advanced endpoint protection solution capable of blocking malicious software like Vidar.

What is Vidar’s C&C server?

Vidar Stealer’s most recent version uses RC4 encryption instead of the more complex XOR string encoding used previously, using an internal hardcoded key in its binary code to decrypt RSRC encrypted data and extract stolen information before zipping it up into an archive with an arbitrary name for later delivery to C&C servers.

Once uploaded, threat actors can download additional malware from an infected host using Vidar’s C&C server as well as direct the stealer to take screenshots or act as file transfer proxy. Vidar is used primarily to steal sensitive information from infected systems and upload it directly to it; in order to avoid instant detection by in-system antivirus solutions or analysis websites like VirusTotal, tricks like adding null bytes at the beginning of an archive are employed by Vidar in order to remain undetected by antiviruses or analysis websites like VirusTotal.

Threat actors use stolen information to launch attacks like ransomware, cryptomining and DDoS attacks using stolen personal information. Malicious emails posing as urgent orders or banking payments often serve as the main delivery vehicle of this malware; malvertising websites or gaming forums also provide the perfect backdrop for this kind of distribution.

Vidar can collect various types of information from infected systems, from text files and browser cookies to browser history containing autofill values, making it an incredibly versatile piece of software capable of stealing passwords from FTP clients such as WinSCP and FileZilla, cryptocurrency wallets, browsing histories in Chrome, Opera and Chromium-based browsers and even search results from Pidgin as well as extract credentials from TOR networks – it even searches Pidgin email accounts while extracting credentials for accessing information while taking screenshots!

Vidar’s flexibility makes it attractive to cyber criminals who sell it through Darknet markets or hacker forums; alternatively, threat actors often sell it via Telegram channels for maximum anonymity.

Start Off Attackers To gain entry, attackers create accounts on social media websites and start bombarding potential victims with messages claiming they must make an immediate payment or have another pressing need. When the victim responds to one of these messages, attackers send a file attachment which contains macros which when enabled will contact C&C server and download malicious payload.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.