Cyble-Vidar-Malware-Under-The-Lens

Vidar Stealer Under the Lens: A Deep-dive Analysis

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Threat Actors (TAs) are increasingly using stealer malware to steal credentials from victims’ devices. The Vidar malware family, which was first identified in 2018, is capable of stealing sensitive data from the victim’s PC. This includes banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets, which can then be transferred to the TAs Command and Control (C&C).

Cyble Research Labs has gathered the latest variant of the Vidar Stealer sample to study its behavior and the techniques used for infection. We identified that the TAs use delivery mechanisms such as spam mail, cracked software, keygens, etc. to distribute this malware.

​The Vidar stealer malware’s high-level execution flow is shown in the diagram below. The malware connects to the TAs “mas.to!” channel to get the C&C IP address. The malware downloads configuration data from the C&C and other payloads/modules to extract credentials from the victim’s device and perform data exfiltration.

Figure 1 High-Level Execution Flow Diagram of the malware

​Technical Analysis 

Cyble Research Labs performed the static analysis of the sample and found that the malware is x86 architecture Windows binary written in C/C++ and compiled on 2021-11-10 10:44:29.​

Figure 2 Static Information of the Malware 

​During the initial execution of the malware, Cyble Research Labs identified that the malware tries to communicate to a hxxp://mas[.]to/@oleg98 domain as shown in the below figure.

Figure 3 Traffic Analysis of the Malware 

​Upon further analysis, we found that the malware tries to retrieve the C&C IP 65.100.80.190 via the user ID “oleg98” on mas.to! channel through hxxp://mas[.]to/@oleg98 as shown below.

Figure 4 TA’s mas.to! channel 

​ The figure below shows the process tree created by the malware.

Figure 5 Process Tree Created by the malware

After the data has been exfiltrated, the stealer removes itself by removing malware binaries and data files. The below command is executed to perform the self-delete activity. 

​C:\Windows\System32\cmd.exe” /c taskkill /im Devil.exe /f & timeout /t 6 & del /f /q “C:\Users\MalWorkstation\Desktop\Malware.exe” & del C:\ProgramData\*.dll & exit

Code Analysis and Debugging 

​Cyble Research Labs found that the malware was packed using customized packing techniques during our initial code analysis. The figure below shows that the malware has created a new binary in the newly allocated memory where the unpacked binary exists.

Figure 6.  Malware Unpacking

​​As shown in the below figure, after execution, the malware obtains the C&C IP address 65[.]108[.]80[.]90 from mas.to!.

Figure 7 C&C IP Address

The image below shows that the malware sends the victim machine’s unique ID and receives configuration data to the victim’s device from the C&C.  

Figure 8 Configuration Data Received from C&C

​The configuration data contains the values which the stealer uses to get the following details. 

​Configuration​Description
​1​Set values for malware to steal Saved Credentials, Cookies, Browser History set, etc.
​Default ​Name of the profile used to collect data
50Size in KB
Table 1 Configuration data present in the table

The image below shows that the malware has hardcoded values that contain details of targeted applications and data extraction information.

Figure 9 Hardcoded Values

The hardcoded values contain the following details that are shown below. 

​Configuration​Description
​Targeted Browsers​Opera, Mozilla Firefox, Chrome, Brave, etc.
Data StealsCredentials, History, Cookies
​Wallets Enumerating various Cryptocurrency Wallets
​Other Software’s Details​Files Sharing and Communication Softwares
User DetailsUser Geolocation, System Language
Table 2 Final Configuration Data

The image below shows the traffic analysis of the stealer’s GET request that downloads additional modules to extract credentials.

Figure 10 Additional Payload Download from C&C

The other modules which the malware downloads to extract the credentials are shown in the table below.

List of Files Used for Data Extraction
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
cnruntime140.dll
Table 3 List of Files

The figure below showcases that the Vidar stealer malware creates these files to store the data that is being stolen during the infection.​

Figure 11 File Creation

​Once the credential extraction is done, the stealer, in our case, creates a ZIP file with the name 5d202e6e-b33a-48-*.zip in the victim’s machine and stores the victim’s credentials. It then sends these credentials to the attacker’s C&C as shown below.

Figure 12 Malware Sends the Victims Details to the TAs C&C  

In the below figure, we observed the data that the malware sends to the C&C. 

Figure 13 Content Received from the Malware 

The below image showcases the type of information collected by the malware, such as Machine ID, Malware Path, Hardware Details, Processes, and Software currently running on the machine.

Figure 14  Machine Details Collection

​Conclusion  

​Threat Actors have used similar malware to steal sensitive data from the victim devices. Currently, we are observing stealer malware becoming increasingly active across the world. The primary vectors for spreading this malware are via pirated software and targeted phishing campaigns. 

Cyble Research Labs previously observed and reported stealer activity aimed at organizational employees to steal their credentials. 

​Cyble Research Labs will continue to monitor emerging threats and targeted cyber-attacks. 

​Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • ​Don’t keep important files at common locations such as the Desktop, My Documents etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • ​Conduct regular backup practices and keep those backups offline or in a separate network. 

​MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
​Initial Access T1566 ​Phishing 
​Execution T1204 ​User Execution 
​Credential Access T1555 
T1539 
T1552 
​Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
​Collection T1113 ​Screen Capture 
​Discovery T1087 
T1518  ​
T1057 
T1007  ​
T1614 
​Account Discovery 
​Software Discovery  ​
Process Discovery 
​System Service Discovery 
​System Location Discovery 
​Command and Control T1095 ​Non-Application Layer Protocol 
​Exfiltration T1041 ​Exfiltration Over C&C Channel   

​Indicators of Compromise (IoCs):   

​Indicators ​Indicator type ​Description 
​c40c62b978908e0f5112eee4ae7370fb9c4cc1ed7c90a171be89f6fd8c10b376 ​SHA-256 ​Vidar Stealer 
​@oleg98@mas.to​Channel Name ​Mas.to! Bot ID for getting the C&C URL 
​hxxp[:]//65.100.80[.]190​C&C ​C&C URL 

About Us  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   

Scroll to Top