Threat Actors (TAs) are increasingly using stealer malware to steal credentials from victims’ devices. The Vidar malware family, which was first identified in 2018, is capable of stealing sensitive data from the victim’s PC. This includes banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets, which can then be transferred to the TAs Command and Control (C&C).
Cyble Research Labs has gathered the latest variant of the Vidar Stealer sample to study its behavior and the techniques used for infection. We identified that the TAs use delivery mechanisms such as spam mail, cracked software, keygens, etc. to distribute this malware.
The Vidar stealer malware’s high-level execution flow is shown in the diagram below. The malware connects to the TAs “mas.to!” channel to get the C&C IP address. The malware downloads configuration data from the C&C and other payloads/modules to extract credentials from the victim’s device and perform data exfiltration.
Technical Analysis
Cyble Research Labs performed the static analysis of the sample and found that the malware is x86 architecture Windows binary written in C/C++ and compiled on 2021-11-10 10:44:29.
During the initial execution of the malware, Cyble Research Labs identified that the malware tries to communicate to a hxxp://mas[.]to/@oleg98 domain as shown in the below figure.
Upon further analysis, we found that the malware tries to retrieve the C&C IP 65.100.80.190 via the user ID “oleg98” on mas.to! channel through hxxp://mas[.]to/@oleg98 as shown below.
The figure below shows the process tree created by the malware.
After the data has been exfiltrated, the stealer removes itself by removing malware binaries and data files. The below command is executed to perform the self-delete activity.
| C:\Windows\System32\cmd.exe” /c taskkill /im Devil.exe /f & timeout /t 6 & del /f /q “C:\Users\MalWorkstation\Desktop\Malware.exe” & del C:\ProgramData\*.dll & exit |
Code Analysis and Debugging
Cyble Research Labs found that the malware was packed using customized packing techniques during our initial code analysis. The figure below shows that the malware has created a new binary in the newly allocated memory where the unpacked binary exists.
As shown in the below figure, after execution, the malware obtains the C&C IP address 65[.]108[.]80[.]90 from mas.to!.
The image below shows that the malware sends the victim machine’s unique ID and receives configuration data to the victim’s device from the C&C.
The configuration data contains the values which the stealer uses to get the following details.
| Configuration | Description |
| 1 | Set values for malware to steal Saved Credentials, Cookies, Browser History set, etc. |
| Default | Name of the profile used to collect data |
| 50 | Size in KB |
The image below shows that the malware has hardcoded values that contain details of targeted applications and data extraction information.
The hardcoded values contain the following details that are shown below.
| Configuration | Description |
| Targeted Browsers | Opera, Mozilla Firefox, Chrome, Brave, etc. |
| Data Steals | Credentials, History, Cookies |
| Wallets | Enumerating various Cryptocurrency Wallets |
| Other Software’s Details | Files Sharing and Communication Softwares |
| User Details | User Geolocation, System Language |
The image below shows the traffic analysis of the stealer’s GET request that downloads additional modules to extract credentials.
The other modules which the malware downloads to extract the credentials are shown in the table below.
| List of Files Used for Data Extraction |
| freebl3.dll |
| mozglue.dll |
| msvcp140.dll |
| nss3.dll |
| softokn3.dll |
| cnruntime140.dll |
The figure below showcases that the Vidar stealer malware creates these files to store the data that is being stolen during the infection.
Once the credential extraction is done, the stealer, in our case, creates a ZIP file with the name 5d202e6e-b33a-48-*.zip in the victim’s machine and stores the victim’s credentials. It then sends these credentials to the attacker’s C&C as shown below.
In the below figure, we observed the data that the malware sends to the C&C.
The below image showcases the type of information collected by the malware, such as Machine ID, Malware Path, Hardware Details, Processes, and Software currently running on the machine.
Conclusion
Threat Actors have used similar malware to steal sensitive data from the victim devices. Currently, we are observing stealer malware becoming increasingly active across the world. The primary vectors for spreading this malware are via pirated software and targeted phishing campaigns.
Cyble Research Labs previously observed and reported stealer activity aimed at organizational employees to steal their credentials.
Cyble Research Labs will continue to monitor emerging threats and targeted cyber-attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Don’t keep important files at common locations such as the Desktop, My Documents etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Credential Access | T1555 T1539 T1552 | Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials |
| Collection | T1113 | Screen Capture |
| Discovery | T1087 T1518 T1057 T1007 T1614 | Account Discovery Software Discovery Process Discovery System Service Discovery System Location Discovery |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| c40c62b978908e0f5112eee4ae7370fb9c4cc1ed7c90a171be89f6fd8c10b376 | SHA-256 | Vidar Stealer |
| @oleg98@mas.to | Channel Name | Mas.to! Bot ID for getting the C&C URL |
| hxxp[:]//65.100.80[.]190 | C&C | C&C URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
