Analyzing the Behavior of Vidar Information-Stealing Malware

  • Vidar is capable of exfiltrating a variety of data including system information, browser data, and user credentials. 
  • The malware generates three different files to store email credentials and browser credentials from the system. 

Vidar is a family of malware that operates primarily as an information stealer and is often observed as a channel to enable ransomware deployment. The malware originally became active in late 2018.

What are its capabilities?
The malware is capable of exfiltrating a variety of data from an infected system including system information, browser data, and credentials. 

The data collected from infected systems include Machine ID and GUID, operating system, computer name, current username, display resolution, keyboard language, hardware information, network information, and a list of installed software.

In addition to this, the malware generates three different files to store email credentials and browser credentials from the system.  

How prevalent is the malware?
The malware first made headlines in January 2019, after it was observed in a prolific malvertising campaign. Threat actors were found using the Fallout exploit kit to distribute Vidar and GandCrab as secondary payloads.
 
Again, in January 2019, researchers discovered a fake cryptocurrency trading website that delivered the crypto-stealing malware Vidar. The site impersonated CryptoHopper trading platform to trick victims.

A new malware dropper named Legion targeted both the U.S. and European organizations with an intention to deploy a bunch of malware including the Vidar information-stealer.

Bitbucket was abused by cybercriminals to compromise 500,000 computers globally. The hacking campaign involved a wide range of malware capable of stealing data, mining cryptocurrency, and delivering ransomware payloads. One of the malware delivered in the campaign was Vidar.

Bottom line
Though the malware is used along with other malicious payloads in hacking campaigns, one should not ignore its stealing capabilities. Given the wide range of data-stealing capabilities of Vidar, it is imperative that organizations deploy the appropriate security measures to protect their data and systems.