Vidar stealer is malicious software that steals information from computers under infection. It leverages popular social media platforms. These platforms include TikTok, Telegram, Steam, and Mastodon as intermediate command-and-control (C2) servers. This means that the malware uses these platforms to communicate with the attackers. They also receive commands on what actions to take on the infected device.
The technique used by the threat actors behind Vidar. It involves creating throwaway accounts on social media platforms. This also includes writing the C2 address in the unique account pages. This allows the malware to retrieve the C2 address and communicate with the attackers through these platforms.
What is Vidar stealer?
Vidar stealer is one of the most dangerous malware. The software’s design helps collect information from computers and devices that are under infection. It takes place through phishing emails or cracked software. It can harvest a wide range of information from the compromised host after collecting and transmitting it to a C2 server. An advantage of this approach is it blocks the C2 server. The adversary could set up a new server, allowing them to continue their activities. Vidar was first identified in 2018 and is a commercially available off-the-shelf malware.
The latest version of Vidar stealer: Know about it
The latest version of the Vidar malware, version 56.1, has introduced a new feature. This encodes the gathered data before it is exfiltrated, a departure from previous versions. Vidar can maintain a long lifespan by using well-known platforms as its Command and Control (C2) intermediaries. After the observations, researchers conclude that a threat actor maintains and updates an account that got start six months ago. Reports of the malware being distributed through malicious ads on Google and a malware loader called Bumblebee.
Kroll’s report on Vidar Stealer
A risk consulting firm called Kroll recently published an analysis. An ad for the GIMP open-source image editor was redirecting users to a typosquatting domain hosting the Vidar malware. This is just one example of malware delivery methods constantly evolving in the threat landscape. This includes Microsoft’s decision to block macros by default in Office files downloaded from the internet since July 2022. As a result of this change, cybercriminals have been abusing alternative file formats such as ISO, VHD, SVG, and XLL in email attachments to bypass Mark of the Web (MotW) protections and evade anti-malware scanning measures. These tactics demonstrate the ongoing effort by cybercriminals to find new ways to spread malware and evade security measures.
What do researchers have to say?
As per researchers of ASEC, disk image files are instrumental in bypassing the “MotW” (mark of the web) feature. The design helps to prevent malicious software from running on a computer. Researchers say that when you extract or mount files, MotW is not transferrable to the files. It came to light that HTML smuggling techniques are key to the Qakbot campaign.
