Tue, Sep 3, 2019

Malware Analysis: Vidar Version 4.5

The malware analysis team in Kroll’s Cyber Risk practice has observed an updated version of the Vidar malware – version 4.5 – present and active when recently working with a client to investigate suspicious activity within their network. Vidar, which originally became active in late 2018, is a family of malware that operates primarily as an information stealer and is often observed as a precursor to ransomware deployment. It enables the capture and exfiltration of data from a system, including system information, browser data, and credentials1.

Attack Vector

Predominantly spread through “malvertising”, i.e., victims click on infected ads on websites. Legitimate websites may have been compromised or the websites may be known for running suspect content.

Targeted Data

While Kroll has identified available embedded functionality in the malware, our analysis and open-source intelligence-gathering indicates the malware receives dynamic instruction (i.e., a configuration file) from its command-and-control (“C2”) domain that tells it the specific data to capture and steal. 

Kroll is aware of the following data-scraping capabilities by the Vidar family:

  • Browser data, including auto-fill, cookies, credit cards, download history, and browsing history
  • Two-factor authentication (“2FA”) data
  • Telegram messages
  • Cryptomining wallets
  • A screenshot of the victim system

Vidar’s targeting of 2FA data is especially problematic as many organizations may have a false sense of security that this measure is adequately protecting their networks.

Startup & Persistence

The malware has been observed, upon execution, to send an HTTP POST request to the C2 hxxp://malansio[.]com2. It first connects to the page hxxp://malansio[.]com/169 and then retrieves a list of dynamic link libraries (“DLL”) via HTTP GET requests:

  • freebl3.dll
  • vcruntime140.dll
  • nss3.dll
  • softokn3.dll
  • mozglue.dll
  • msvcp140.dll

After these downloads, the malware begins its collection and exfiltration functionality. It has been observed communicating with the page hxxp://malansio[.]com/. Based upon Kroll’s analysis to date, the malware does not have an embedded persistence mechanism – if it does not successfully establish connectivity with its C2 domain, the executable deletes itself.

Functionality

Upon execution, the malware collects system information as well as other available sensitive data. In Kroll’s dynamic analysis, the malware generates a new randomly named folder under C:\ProgramData and aggregates the following data in a file named information.txt:

  • Machine ID and GUID
  • Path of malware executable and its working directory – This is a newly created directory under C:\ProgramData\ +{Random String}
  • Operating system
  • Computer name
  • Current username
  • Display resolution, language, and keyboard language
  • Local time and time zone
  • Hardware information – Processor, CPU count, RAM, video card
  • Network information – This data is queried through ip-api [.] com/line/ where geolocation data is gathered about the victim system
  • List of running processes
  • An incomplete list of installed software (may be searching for specific programs)

Additionally, the malware generates three additional files in this location:

  • Outlook.txt – May contain available email credentials from the system
  • Password.txt – May contain available browser credentials from the system
  • A ZIP file containing the collected data; this file is exfiltrated to the C2 domain
Preemptive Recommendations
  • Leverage a next-generation solution like Kroll CyberDetectER to both identify the presence of malware like Vidar as well as to prevent and contain malware before they present a risk to data within your environment
  • Ensure antivirus solutions are current
  • Deploy endpoint threat monitoring for rapid response, e.g. stop outbound connections
  • Train staff on risks of clicking on ads, both on websites and within unsolicited emails
  • Implement pop-up blockers and internet content filtering (e.g., URL white and blacklists) to prevent accidental or intentional visits to suspect sites

Sources 
1. More in-depth open-source intelligence on Vidar can be found at https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/ 
2. URLs in this analysis have been defanged to prevent accidental hyperlinking


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.


CyberDetectER

Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.