Vidar Stealer Operators Exploit SM Platforms to Evade Detection

Tactics of hiding behind SM platforms

• Attackers create a new profile on these social media platforms and write some identifying characters and the C2 address on the profile page.
• One advantage of this tactic is that such traffic is really difficult to identify and block using trivial security solutions.
• In case the C2 server is blocked or taken down, attackers can set up a new server and edit the account pages to allow the previously distributed malware to communicate with the server.

Digging deeper

• When malware is executed from any infected system, multiple strings are decrypted and multiple garbage codes are passed as arguments, which execute string-modifying functions.
• It checks for the computer name and username to see if it is a Windows Defender Emulator, and upon detection, the malware stops functioning and shuts down.
• When proceeding further, the malware connects to the threat actor’s account page to download the C2 address that is hard-coded in the binary. 
• The latest malware variant (v 56.1) collects data and compresses it into a ZIP file, encoded in Base64 prior to exfiltration to the C2 server.

Contrasts with previous tactics

• The previous malware variants collected and sent the information as compressed file data in plaintext format.
• However, in recent campaigns, it was being distributed using a variety of methods, including malicious Google Ads and a malware loader dubbed Bumblebee.
• Additionally, experts discovered an ad for the GIMP open-source image editor that, when clicked from the Google search result, redirected the victim to a typo-squatted domain hosting the malware.

Conclusion