# eSentire Threat Intelligence Malware Analysis: Vidar… **[esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer)** Resources TRU INTELLIGENCE CENTER Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts. [View Threat Intelligence Resources →](https://www.esentire.com/resources/tru-intelligence-center) Company ABOUT ESENTIRE About Us eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. [Read about how we got here](https://www.esentire.com/company/about-us) [Leadership](https://www.esentire.com/company/leadership) [Work at eSentire](https://www.esentire.com/company/careers) EVENT CALENDAR May 31 NetDiligence Cyber Risk Summit eSentire will be a Sponsor at the NetDeligence Cyber Risk Summit in Fort… May 31 Memorial Insights Special eSentire will be attending Avant's Memorial Insights Special. Jun ----- 01 AppDirect Boston Regional Event eSentire will be attending this event. [View Event Calendar →](https://www.esentire.com/company/event-calendar) Partners PARTNER PROGRAM e3 Ecosystem We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today. [Learn more](https://www.esentire.com/partners) Search Resources [Speak With A Security Expert Now](https://www.esentire.com/get-started) Vidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of 2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a malicious webpage and unknowingly downloads the malware payload. In comparison to other infostealers, Vidar Stealer has a significantly higher subscription price largely due to its successful infection rate (above 75%) and the fact that new domains for the payloads are renewed in 3-4 days. This malware analysis delves deeper into the technical details of how the Vidar Stealer malware operates and our security recommendations to protect your organization from being exploited. ## Key Takeaways In 2022, Vidar Stealer was the second most used infostealer malware on the Dark Web, based on the number of logs sold in Dark Web forums, meaning that threat actors are both having success with deploying the stealer into networks and spreading the stealer across the Internet. Based on our analysis, Vidar Stealer does not include country checks, which means it [is able to infect countries within The Commonwealth of Independent States (CIS).](https://cert.gov.ua/article/2724253) The threat actor(s) are actively using social media accounts to host their Command and Control (C2) servers. ----- The current versions of Vidar Stealer do not store the exfiltrated data on the victims disk. New versions of Vidar Stealer use XOR string encryption instead of RC4. Each string is encrypted with a different XOR key. The new version of Vidar Stealer (56.1) includes Signal Messenger for data exfiltration. ## Case Study: Vidar Stealer eSentire Threat Response Unit (TRU) has observed numerous Vidar infections in enterprise software, Retail, Business Services, and Real Estate industries. We have also observed the [stealer being delivered in a BatLoader campaign upon successful infection. The stealer is](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader) also capable of deleting itself after the infection. The first mention of the stealer appeared on hacking forums at the end of 2018 (Figure 1). Figure 1: Vidar Stealer seller’s post translated from Russian The Vidar Stealer subscription price is significantly higher than other stealers such as Redline, Mars Stealer and Raccoon Stealer (Figure 2). ----- Figure 2: Subscription price for Vidar Stealer In a forum post, the malware author explained the high subscription price due to multiple features that include: The successful infection rate (successful log delivery), which is also commonly called as “otstuk” (“отстук”) among native Russian speakers, is above 75%. New domains for the builders (payloads) are renewed once in 3-4 days with the previous ones remaining intact. The feature of the stealer generating and hosting their own domains/IPs for the builders makes it very convenient for the buyers as there is no need to spin up a VPS server and maintain it to receive the logs compared to other stealers. Vidar Stealer is commonly confused as a variant of Arkei Stealer due to the code similarities but the developer claims that Arkei and Vidar are not related to each other. In December 2022, based on the Dark Web marketing known as ‘Russianmarket’, Vidar Stealer was the second most used Stealer on the Dark Web, with [Redline Stealer being the number one](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer) stealer (Figure 3). Figure 3: Number of logs are getting sold on russianmarket All the stolen logs are then sent to the Admin panel that is browser-based. The end-user would need an invitation code to register and purchase the subscription without directly interacting with the seller on Telegram (Figure 4). ----- Figure 4: Vidar Stealer C2 Panel Vidar Stealer spreads through drive-by downloads – users visit the website hosting a malicious stealer payload; typically it’s a [fake cracked software or fake installers. The stealer](https://www.esentire.com/blog/cracked-software-leads-to-information-stealing-malware) also uses [GitHub as a repository to host the payloads. That way the attacker(s) will receive](https://twitter.com/ankit_anubhav/status/1588073956606550018?s=20&t=cEI8GPRjfTd4FYqbzi3pWA) the direct link to the payload file that they can send over to installer bots/providers (services that provide the mass spreading of the payload) (Figure 5). ----- Figure 5: Manual for uploading stealer payloads to GitHub (translated from Russian inbrowser) It is worth mentioning that most Vidar Stealer users are using installer services to spread the stealer, which was likely the case with the Vidar stealer infection in Ukraine reported by [CERT-UA, where the user visited the fake Advanced IP Scanner landing page.](https://cert.gov.ua/article/2724253) ## Vidar Stealer Panel Review One of the main sections of the panel is Settings, where the threat actor can specify what additional information, they want to exfiltrate from the infected host including Telegram logs, cryptocurrency wallets, browser history and downloads, screenshots, Steam, and Discord logs (Figure 6) ----- Figure 6: Settings panel The grabber module allows an attacker to harvest files under the following folders (Figure 7): %DESKTOP% C:\Users\\Documents %DRIVE_FIXED% (all drives on the machine) %DRIVE_REMOVABLE% (removable drives) %USERPROFILE% %APPDATA% %LOCALAPPDATA% C:\Program Files (x86) C:\Program Files C:\Users\\Recent ----- Figure 7: Grabber module The stealer contains a non-resident loader module. There are two kinds of loaders that are commonly mentioned by Russian native speakers: **Non-resident loader – the loader deletes itself after successful infection.** **Resident loader – upon starting, the loader creates the persistence on the infected** host via Registry Run Keys, Startup folder, and service creation. The loader module only supports .exe binaries that are grabbed from the URL the attacker specifies. The attacker can specify to which country the loader can be applied to (Figure 8). ----- Figure 8: Loader module The stealer builder is constantly getting updated including the “Defender cleaning”, which means that the builder gets modified once a week, so Windows Defender is less likely to detect it (Figure 9). ----- Figure 9: Builder updates The logs panel allows the malicious actor to easily navigate through logs and access them directly within the portal without having to download them to their machine (Figure 10). ----- Figure 10: Logs panel enabling attacker(s) to view the host information, screenshot and retrieved files directly in-browser The Services section automatically parses the stolen data including banking information, SMTP, Cpanel and WordPress credentials (Figure 11). Figure 11: Services section Compromised credentials for Cpanel and WordPress can be bought and used by other malicious actor(s) to spread their malware via the drive-by downloads. One of the main features of Vidar Stealer is that it provides malicious users an option to set up their own domains (Figures 12-13), which is known as “gasket” or “pads”. ----- Figure 12: Personal Domain Configuration Tab Pads, or gaskets, is an intermediate server set for the stealer to communicate with as a Command and Control (C2) server and send the exfiltrated logs to. The standard ports for C2 communications are HTTP/80 and HTTPS/443. The malicious actor can host the C2 server on Telegram or Mastodon as the pads. Telegram and Mastodon allow the user to change the IPs on the fly by editing the profile description. With Telegram, the malicious actor can create a channel and add the IP and port in the description, for example hello http://IP:80| (Figure 13). Figure 13: Instruction on how to setup the personal pad An example of an attacker’s Telegram C2 channel is shown in Figure 14. ----- Figure 14: Attacker's Telegram channel Examples of Mastodon websites where an attacker can host their C2 include: [https://c.im/](https://c.im/) [https://indieweb.social/](https://indieweb.social/) [https://busshi.moe/](https://busshi.moe/) [https://koyu.space/](https://koyu.space/) [https://mastodon.online/](https://mastodon.online/) [https://ioc.exchange/](https://ioc.exchange/) [https://nerdculture.de/](https://nerdculture.de/) The scheme works the same way as for Mastadon; an attacker inputs their C2 IP into the [profile description field as shown in Figure 15. The threat actors have also been using Steam](https://twitter.com/ankit_anubhav/status/1595664080479535104?s=46&t=agmu8eh2vry7HB3A78Ga5Q) [and TikTok accounts to host the C2.](https://twitter.com/crep1x/status/1593360365240389633?s=20&t=DADIky1LQTUvElJ2ZfnYcA) ----- Figure 15: Attacker's C2 on the site running with Mastodon engine ## Vidar Stealer Binary Review Vidar Stealer binary is written in C++ programming language. The payload generated from Vidar Stealer Panel contains strings that are encoded with XOR keys. The XOR key is different for each string. In the binaries we have observed on clients’ environments (MD5: 810aa0d8faf41720af07153258c05b77), most payloads were using RC4 for string encryption. We assume that the payloads with RC4 encryption are from the older version. The comparison of the decompiled codes containing the encoding/encryption functions for Vidar payload generated from the panel (on the left) and the one that we have observed on infected machines (on the right) (Figure 16). ----- Figure 16: Encoding/encryption from two Vidar samples The second binary contains an embedded RC4 key as shown in Figure 17. The encrypted hex strings are base64-encoded. Figure 17: Embedded RC4 key from the second payload ----- Interesting enough, both payloads still have unencrypted strings embedded in the payloads (Figure 18) including the cryptocurrency browser extensions and some crypto wallets, attacker’s C2, the text files generated from collecting the user’s browsing data, etc. Figure 18: Plaintext strings observed in the second payload We will proceed with the analysis of the payload generated from C2 panel with the builder version 55.6 which is the latest one at the time of writing the report. The payload we have observed on the infected hosts from the BatLoader campaign are on version 54.7. There are two XOR-decryption tables in the binary, one is responsible for decrypting the API functions and sandbox name checks, the other table decrypts the rest of the stealer strings. In order to complete this analysis, we wrote a script to decrypt the strings within the stealer binary. The stealer searches for the cryptowallet extensions in Chrome browser and extracts the CURRENT file within the %appdatalocal%\Google\Chrome\User Data\Default\Local _Extension Settings\ directory (Figure 19)._ ----- Figure 19: XOR tables Vidar is also enumerating JSON and wallet.dat files (Figure 20). Figure 20: Function responsible for cryptowallet extension search The JSON file is also known as Keystore file that stores the private key of the cryptowallet in an encrypted format. The wallet DAT file contains transaction information, key metadata, private & public keys, and can be in an unencrypted or encrypted format. If it is encrypted but protected with a weak password, the attacker may be able to crack it (Figure 21). Figure 21: Cryptowallet search (wallet DAT files) The list of cryptowallet extensions that Vidar attempts to steal: ----- |Cryptowallet Name|Browser Extension| |---|---| |TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec| |MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn| |BinanceChainWallet|fhbohimaelbohpjbbldcngcnapndodjp| |Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb| |NiftyWallet|jbdaocneiiinmjbjlgalhcelgbejmnid| |MathWallet|afbcbjpbpfadlkmhmclhkeeodmamcflc| |Coinbcase|hnfanknocfeofbddgcijnmhnfnkdnaad| |Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln| |EQUALWallet|blnieiiffboillknjnepogjhkgnoapac| |JaxxLiberty|cjelfplplebdjjenllpjcblmjkfcffne| |BitAppWallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi| |iWallet|kncchdigobghenbbaddojjnnaogfppfj| |Wombat|amkmjjmmflddogmhpjloimipbofnfjih| |MewCx / Enkrypt|nlbmnnijcnlegkjjpcfjclmcfggfefdm| |GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj| |RoninWallet|fnjhmkhhmkbjkkabndcnnogagogbneec| |RoninWalletEdge|kjmoohlgokccodicjjfebfomlbljgfhk| |NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao| |CloverWallet (CLV Wallet)|nhnkbkgjikgcigadomkphalanndcapjk| |LiqualityWallet|kpfopkelmapcoipemfendmdcghnegimn| |Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp| |Keplr|dmkamcknogkgcdfhhbddcghachkejeap| |Sollet|fhmfendgdocmcbmfikdcogofphimnkno| |AuroWallet|cnmamaachppnkjgnildpdmkaakejnhae| |PolymeshWallet|jojhfeoedkpkglbfimdfabpdfjaoolaf| ----- |ICONex|flpiciilemghbmfalicajoolhkkenfel| |---|---| |Harmony|fnnegphlobjdpkhecapkijjdkgcjhkib| |Coin98|aeachknmefphepccionboohckonoeemg| |EVER Wallet|cgeeodpfagjceefieflmdfphplkenlfk| |KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk| |Rabby|acmacodkjbdgmoleebolmdjonilkdbch| |Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa| |Brave Wallet|odbfpeeihdkbihmopkbjmoonfanlbfcl| |MetaMask|ejbalbakoplchlghecdalmeeeajnimhm| |Oxygen (Atomic)|fhilaheimglignddkjgofkcbgekhenbh| |PaliWallet|mgffkfbidihjpoaomajlbgchddlicgpn| |BoltX|aodkkagnadcbobfpggfnjeongemjbjca| |XdefiWallet|hmeobnfnfcmdkdcmlblgagmfpfboieaf| |NamiWallet|lpfcbjknijpeeillifnkikgncikgfhdo| |MaiarDeFiWallet|dngmlblcodfobpdpecaadgfbcggfjfnm| |WavesKeeper|lpilbniiabackdjcionkobglmddfbcjo| |Solflare|bhhhlbepdkbapadjdnnojkbgioiodbic| |CyanoWallet|dkdedlpgdmmkkfjabffeganieamfklkm| |KHC|hcflpincpppdclinealmandijcmnkbgn| |TezBox|mnfifefkajgofkcjkemidiaecocnkjeh| |Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc| |Goby|jnkelfanjkeadonecabehalmbgpfodjm| Additionally, the stealer grabs the leveldb files and wallet folder for Jaxx, Daedalus Mainnet, Wasabi, Blockstream, Dogecoin, Binance, Ravencoin, and Ledger Live cryptowallets. For Mozilla Firefox password decryption process, the stealer looks for files such as cookies.sqlite, formhistory.sqlite, logins.json, and places.sqlite: **Cookies.sqlite – stores the cookies.** ----- **Formhistory.sqlite – stores the forms that the user has entered webpages.** **Logins.json – stores the encrypted usernames and passwords.** **Places.sqlite – stores the bookmarks, browsing history and keywords.** If cookies.sqlite is found, the stealer then proceeds to use SQLite to extract the cookies using the query SELECT host, isHttpOnly, path, isSecure, expiry, name, and value FROM moz_cookies (moz_cookies table contains the cookie information) (Figure 22). Figure 22: Extracting the cookies Then, it will proceed to look for formhistory.sqlite and if the latest was found, the stealer starts extracting the Autofill data using SQLite functions and outputs the data in a text file for exfiltration (Figure 23). ----- Figure 23: The stealer proceeds with extracting the Autofill data if the form.sqlite is found After successfully decrypting the password, Vidar stealer appends the “Soft:” (Browser name) and “Host:” (domain) fields to the text file along with extracted logins and passwords. For logins.json, the stealer calls NSS_Init() function that initializes the NSS library and extracts the parameters such as encryptedUsername, encryptedPassword, formSubmitURL. The stealer then proceeds with decrypting the fields using the NSS library cryptography functions such as PK11SDR_Decrypt, PK11_GetInternalKeySlot and PK11_Authenticate (Figure 24). ----- Figure 24: Decrypting the encrypted data within logins.json To extract browsing history, the stealer utilizes the query SELECT url FROM moz_places (moz_tables contain the list of the URLs that the user visited). After successfully extracting the browsing data, the stealer appends them to a History.txt file (Figure 25). Figure 25: Extracting the browsing data It’s worth noting that prior to decrypting the browser credentials, cookies and extracting sensitive information, the stealer looks for profiles.ini file under %appdata%\mozilla\firefox\profiles\ (Mozilla Firefox), %appdata%\Moonchild Productions\Pale Moon\Profiles\ (Pale Moon), %appdata%\Thunderbird\Profiles\ ----- (Thunderbird). The .INI file contains the information of user profiles. Vidar stealer then gets the DLL dependencies such as vcruntime140.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, and freebl3.dll (Figure 26). Figure 26: Getting the profile.ini and DLL dependencies Most stealers require the mentioned dependencies to function properly. You can refer to our [blog on Mars Stealer to read about the DLLs mentioned. The DLL dependencies are](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer) downloaded from the C2 server within the ZIP archive, the ZIP archive name contains 19 random hexadecimal numbers and is extracted to ProgramData folder. Please note that the ZIP archive can also contain the name “update.zip” if the threat actor decides to set up and host their personal panel. To extract FileZilla credentials, the stealer reads the recentservers.xml file on the host. The passwords are base64-encoded, so all the threat actor needs to do is to decode them to cleartext to further abuse the victims accounts. FileZilla stores credentials in two places, recentservers.xml saves the credentials that were entered via the quick connect bar, sitemanager.xml saves the credentials that were configured within the site manager. After successfully extracting the credentials, the data will be saved in the format: Soft: FileZilla Host: :port Login: Password: ----- The stealer also retrieves sensitive files from Authy Desktop (two-factor authentication application) such as .log, MAFINEST, LOG, LOCK and CURRENT files under the path AppData\Roaming\Authy Desktop\Local Storage\leveldb and copies them to the Soft\Authy Desktop folder that will be archived to be sent to the attacker. Besides Authy Desktop, the stealer also exfiltrates data from Google Authenticator browser extension, EOS Authenticator, and GAuth Authenticator (Figure 27). Figure 27: Vidar Stealer extracts Authy Desktop sensitive data Vidar will exfiltrate data from Telegram, Discord, Chrome, and Steam in the following manners: **Telegram: Vidar Stealer exfiltrates the files such as key_datas, maps,** A7FDF864FBC10B77, A92DAA6EA6F891F2, F8806DD0C461824F (Telegram encrypted data files) from AppData\Roaming\Telegram Desktop\tdata folder. The attacker can then attempt to decrypt the files and extract sensitive information. The exfiltrated data is written to \Soft\Telegram\ folder. **Discord: The stealer retrieves the files under AppData\Roaming\discord\Local** Storage\leveldb and AppData\Roaming\discord\Session Storage\leveldb then it attempts to extract Discord tokens that will be written to \Soft\Discord\discord_tokens.txt. **Chrome: In order to decrypt credentials saved in Chrome, the stealer retrieves the** AES encrypted key (encrypted_key) in Google\Chrome\User Data\Local State. **Steam: The stealer queries the registry value SteamPath under** HKEY_CURRENT_USER\Software\Valve\Steam to obtain the full path to Steam on the machine. Then it starts retrieving SSFN, config.vdf, DialogConfig.vdf, DialogConfigOverlay.vdf, libraryfolders.vdf, loginusers.vdf files that contain sensitive information. By obtaining the SSNF files, the attacker can bypass Steam Guard and get the full access to the account, considering that an attacker was able to obtain user’s credentials. With the version 56.1, Vidar also added data exfiltration for Signal Messenger. ----- As previously mentioned, Vidar Stealer has a loader module that allows a malicious actor to push additional malware on the machine. The additional malware retrieved from a C2 with the help of a loader module will be placed under ProgramData folder. First, the stealer checks if the URL to retrieve the payload is up and running (status code 200). If the link is valid, the malware writes the secondary payload to the host and if not the stealer sleeps for 1000 milliseconds (Figure 28). Figure 28: Loader module The emulation check is also present within the Vidar Stealer binary. The binary retrieves the name of the local computer and the username and if it matches “HAL9TH” or “JohnDoe” strings accordingly, the binary will exit. The mentioned values are used by Windows Defender emulator (Figure 29). Figure 29: Emulation check The stealer exfiltrates WinSCP credentials via looking up the Sessions value name under HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions. But first, it checks if the user is using Master Password for WinSCP, if not then it proceeds with extracting the username and encrypted password values. The decrypting function and function responsible for extracting WinSCP credentials are shown in Figure 30. ----- Figure 30: Extracting WinSCP Sessions data and decrypting the passwords The stealer is not able to decrypt the passwords if WinSCP is protected with a master password and will then only be able to extract usernames. Credit card information can also be extracted from browsers via SQLite functions. For example, the stealer would look for \AppData\Local\Google\Chrome\User Data\Default\Web _Data path and extracts the credit card information with the query SELECT name_on_card,_ _expiration_month, expiration_year, card_number_encrypted FROM credit_cards, then it calls_ [the functions BCryptDecrypt and](https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptdecrypt) [CryptUnprotectData to decrypt the data.](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata) Besides the sensitive data exfiltration, the stealer also gathers the host information including: **MachineID – the stealer locates the value under** _SOFTWARE\Microsoft\Cryptography\MachineGuid_ **[GUID – GUID is retrieved from calling the function GetCurrentHwProfileA which](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcurrenthwprofilea)** receives the information about the hardware profile) **HWID – Figure 31 shows how the first 12 hexadecimal values are calculated based on** [the Volume Serial Number that is retrieved via the GetVolumeInformationA function.](https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getvolumeinformationa) Later the stealer appends 10 digits to it, and part of the GUID and MachineID values are also added to the HWID which makes it unique to each infected host ----- Figure 31: HWID calculation The host information also contains the path where the stealer was executed, such as the OS version, computer name, username, display resolution, display language, keyboard languages, local time, time zone, hardware information, running processes and list of software installed on the host (Figure 32). ----- Figure 32: Gathered host information that is sent out to C2 ## Vidar Stealer 3.6-3.7 Update Starting from version 3.6, which was released in April 2023, Vidar users can generate builds with embedded DLL dependencies. This has increased the size of the builds to 2.9MB, but it means that the DLL dependencies no longer need to be retrieved from the C2 server. Instead, the ZIP archive containing the dependencies is already embedded within the executable. ----- This reduces the amount of suspicious activity on the network traffic. After extracting the DLLs, they will be placed under C:\ProgramData folder. Vidar users now also have the option to disable the self-deletion feature for the stealer after successful execution, starting from update 3.7. Figure 33: Vidar Stealer updates Figure 34: Embedded ZIP archive with DLL dependencies within the executable With the latest build, the threat actor also switched from using XOR to using RC4 encryption with a hardcoded key in the binary. ----- Figure 35: Hardcoded RC4 key We wrote the [IDAPython string decryption script for the latest Vidar Stealer build as well as](https://github.com/RussianPanda95/IDAPython/blob/main/Vidar/Vidar_Stealer_3.7_RC4_string_decryption.py) the [configuration extractor script.](https://github.com/RussianPanda95/Configuration_extractors/blob/main/vidar_config_extractor.py) ## Vidar Stealer C2 Communication As mentioned before, Vidar Stealer uses HTTP/HTTPs for C2 communication. First, the infected machine receives the ZIP archive from the C2 that contains DLL dependencies. The dependencies are extracted under ProgramData folder. The stealer configuration is also shown in the PCAP below (Figure 33). The configuration includes the grabber parameters. In our example, the stealer exfiltrates the .txt files under Documents folder and excludes ‘movies:music:mp3’. 50 (KB) is the maximum size of the file that stealer grabs. Figure 36: Stealer configuration ----- The exfiltrated data is compressed in a ZIP archive and base64-encoded (Figure 37 in red). The POST data also contains the profile value and profile ID which are hardcoded within the binary and the token value (Figure 37). Figure 37: POST data including the exfiltrated data ## How eSentire is Responding Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as: Performing global threat hunts for indicators associated with Vidar Stealer. Implementing threat detections to identify malicious command execution and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint. Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact. ## Recommendations from eSentire’s Threat Response Unit (TRU) ----- We recommend implementing the following controls to help secure your organization against Vidar Stealer malware: [Confirm that all devices are protected with Endpoint Detection and Response (EDR)](https://www.esentire.com/how-we-do-it/signals/endpoint) solutions. [Implement a Cyber Phishing and Security Awareness Training (PSAT) Program that](https://www.esentire.com/what-we-do/managed-vulnerability-and-risk/technical-testing/security-awareness-training-managed-phishing-training) educates and informs your employees on emerging threats in the threat landscape. Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where it’s applicable. While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions. eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats. If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption. Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. [Connect with an eSentire Security Specialist.](https://www.esentire.com/get-started) ## Appendix Yara Rule ----- ``` rule Vidar_DLL_embedded { meta: author = "eSentire Threat Intelligence" description = "Vidar Stealer with embedded DLL dependencies" date = "5/2/2023" strings: $s = {50 4B 03 04 14 00 00 00 08 00 24 56 25 55 2B 6D 5C 08 39 7C 05} $a1 = "https://t.me/mastersbots" $a2 = "https://steamcommunity.com/profiles/76561199501059503" $a3 = "%s\\%s\\Local Storage\\leveldb" $a4 = "\\Autofill\\%s_%s.txt" $a5 = "\\Downloads\\%s_%s.txt" $a6 = "\\CC\\%s_%s.txt" $a7 = "Exodus\\exodus.wallet" condition: $s and 5 of ($a*) } ## Indicators of Compromise ``` **Name** **Indicators** Vidar Stealer payload 810aa0d8faf41720af07153258c05b77 C2 95.217.27[.]240 C2 88.198.89[.]6 C2 168.119.167[.]188 C2 78.46.160[.]87 Vidar Stealer payload 783597870319e8fc1c818c5f13e28a0d ## MITRE ATT&CK |Name|Indicators| |---|---| |Vidar Stealer payload|810aa0d8faf41720af07153258c05b77| |C2|95.217.27[.]240| |C2|88.198.89[.]6| |C2|168.119.167[.]188| |C2|78.46.160[.]87| |Vidar Stealer payload|783597870319e8fc1c818c5f13e28a0d| |MITRE ATT&CK Tactic|ID|MITRE ATT&CK Technique|Description| |---|---|---|---| |MITRE ATT&CK Tactic Initial Access|ID T1189|MITRE ATT&CK Technique Drive-by Compromise|Description Vidar Stealer is delivered via malicious websites hosting the fake cracked or pirated software.| ----- MITRE ATT&CK Tactic User Execution ID T1204.002 MITRE ATT&CK Technique Malicious File Description The user launches the malicious file |MITRE ATT&CK Tactic Virtualization/Sandbox Evasion|ID T1497.001|MITRE ATT&CK Technique System Checks|Description The stealer performs checks on “HAL9TH” or “JohnDoe” usernames that are used by Windows Defender emulator| |---|---|---|---| |MITRE ATT&CK Tactic Defense Evasion|ID T1070.004|MITRE ATT&CK Technique Indicator RemovalFile Deletion|Description Vidar Stealer deletes itself from the machine after successful execution.| |MITRE ATT&CK Tactic Credential Access|ID T1555 T1555.003|MITRE ATT&CK Technique Indicator RemovalFile Deletion Credentials from Password Stores Credentials from Password Stores: Credentials from Web Browsers|Description Vidar Stealer steals sensitive data from browsers including credentials, cookies and saved credit cards. It also steals SMTP, WordPress and FTP credentials.| ----- MITRE ATT&CK Tactic Discovery MITRE ATT&CK Tactic Collection MITRE ATT&CK Tactic Exfiltration ### Skip To: ID T1033 T1518 T1057 T1614.001 T1082 MITRE ATT&CK Technique System Owner/User Discovery Software Discovery Process Discovery System Location Discovery: System Language Discovery System Information Discovery Description The stealer enumerates the host for the username and hardware information, running processes and installed applications as well as keyboard and display languages. |MITRE ATT&CK Tactic Collection|ID T1113|MITRE ATT&CK Technique Screen Capture|Description The stealer takes the screenshot from the infected machine and sends it to the C2.| |---|---|---|---| |MITRE ATT&CK Tactic Exfiltration|ID T1020|MITRE ATT&CK Technique Automated Exfiltration|Description The stealer automatically exfiltrates the gathered files to C2, some file grabbing options can be customized by an attacker.| Key Takeaways Case Study: Vidar Stealer Vidar Stealer Panel Review Vidar Stealer Binary Review Vidar Stealer 3.6-3.7 Update Vidar Stealer C2 Communication How eSentire is Responding Recommendations from eSentire’s Threat Response Unit (TRU) ----- Appendix Yara Rule Indicators of Compromise MITRE ATT&CK [View Most Recent Blogs](https://www.esentire.com/resources/blog) eSentire Threat Response Unit (TRU) Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. ----- TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen. Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of [cookies. Visit our Privacy Policy to learn more.](https://www.esentire.com/legal/privacy-policy) Accept **The Authority in Managed Detection and Response.** 2023 eSentire, Inc. All Rights Reserved. -----