- 11/2023
- High
Vidar is a trojan malware based on a project called Arkei written in the C++ programming language that steals information and cryptocurrency from infected users. It is being used as malware-as-a-service on underground forums by Russianspeaking sellers.
The Vidar stealer enables the threat actors to collect a wide range of information from compromised systems including Web browser cookies, history, and logs, Web browsers auto-fill records for example credit cards, home addresses, phone numbers, and primary email accounts linked to online payments, offline cryptocurrency wallets, and saved login-credentials.
The Tactics and Techniques of Vidar Stealer:
• Vidar is continuing to leverage popular social media services such as TikTok, Telegram, Steam, and Mastodon to retrieve the C2 address.
• The malware begins by checking the user’s language. If it matches one of the following five countries, the malware exits:
o Russia, Belarus, Uzbekistan, Kazakhstan, and Azerbaijan.
• Upon execution, Vidar malware has the capability to detect debug environment of windows Defender Emulator, if detected the malware will shut down.
• The C2 response value includes the activation status of certain features, token values, the target directory, and file extensions. The token value is deemed to be for verifying the infected PC and the extorted information.
• The behavior changes according to the C2’s settings response, but various information can be targeted including browser data (account, password, history, cookies, etc.), cryptocurrency wallets, document files (file extensions defined by the threat actor), screenshot images, and system information.
• The extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server after the data has been exfiltrated, the stealer removes itself by removing malware binaries and data files.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP-based IOCs at the organization’s security devices.
• Implement network segmentation, such that all machines on your network are not accessible from every other machine.
• If remote access is required, use a VPN with vendor best practices multi-factor authentication, password audits, precise access control, and actively monitoring remote accesses.
• Users logged into remote access services should have limited privileges for the rest of the corporate network.
• Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
• Conduct cybersecurity awareness training for End- users.
• Ensure anti-virus software and associated files are up to date.
• Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
• Backup your data using different backup destinations, including Tape drives.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
• Install updates/patches operating systems, software, and firmware as soon as updates/patches are released.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.
• Disable browser ‘Save Password’ functionality.
References
- Egyptian Financial Computing Incident Response Team (EG-FinCIRT)