Blog

eSentire Threat Intelligence Malware Analysis: Vidar Stealer

BY eSentire Threat Response Unit (TRU)

May 9, 2023 | 20 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Vidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of 2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a malicious webpage and unknowingly downloads the malware payload. In comparison to other infostealers, Vidar Stealer has a significantly higher subscription price largely due to its successful infection rate (above 75%) and the fact that new domains for the payloads are renewed in 3-4 days.

This malware analysis delves deeper into the technical details of how the Vidar Stealer malware operates and our security recommendations to protect your organization from being exploited.

Key Takeaways

  • In 2022, Vidar Stealer was the second most used infostealer malware on the Dark Web, based on the number of logs sold in Dark Web forums, meaning that threat actors are both having success with deploying the stealer into networks and spreading the stealer across the Internet.
  • Based on our analysis, Vidar Stealer does not include country checks, which means it is able to infect countries within The Commonwealth of Independent States (CIS).
  • The threat actor(s) are actively using social media accounts to host their Command and Control (C2) servers.
  • The current versions of Vidar Stealer do not store the exfiltrated data on the victims’ disk.
  • New versions of Vidar Stealer use XOR string encryption instead of RC4. Each string is encrypted with a different XOR key.
  • The new version of Vidar Stealer (56.1) includes Signal Messenger for data exfiltration.

Case Study: Vidar Stealer

eSentire Threat Response Unit (TRU) has observed numerous Vidar infections in enterprise software, Retail, Business Services, and Real Estate industries. We have also observed the stealer being delivered in a BatLoader campaign upon successful infection. The stealer is also capable of deleting itself after the infection.

The first mention of the stealer appeared on hacking forums at the end of 2018 (Figure 1).

Figure 1: Vidar Stealer seller’s post translated from Russian

The Vidar Stealer subscription price is significantly higher than other stealers such as Redline, Mars Stealer and Raccoon Stealer (Figure 2).

Figure 2: Subscription price for Vidar Stealer

In a forum post, the malware author explained the high subscription price due to multiple features that include:

The feature of the stealer generating and hosting their own domains/IPs for the builders makes it very convenient for the buyers as there is no need to spin up a VPS server and maintain it to receive the logs compared to other stealers.

Vidar Stealer is commonly confused as a variant of Arkei Stealer due to the code similarities but the developer claims that Arkei and Vidar are not related to each other. In December 2022, based on the Dark Web marketing known as ‘Russianmarket’, Vidar Stealer was the second most used Stealer on the Dark Web, with Redline Stealer being the number one stealer (Figure 3).

Figure 3: Number of logs are getting sold on russianmarket

All the stolen logs are then sent to the Admin panel that is browser-based. The end-user would need an invitation code to register and purchase the subscription without directly interacting with the seller on Telegram (Figure 4).

Figure 4: Vidar Stealer C2 Panel

Vidar Stealer spreads through drive-by downloads – users visit the website hosting a malicious stealer payload; typically it’s a fake cracked software or fake installers. The stealer also uses GitHub as a repository to host the payloads. That way the attacker(s) will receive the direct link to the payload file that they can send over to installer bots/providers (services that provide the mass spreading of the payload) (Figure 5).

Figure 5: Manual for uploading stealer payloads to GitHub (translated from Russian in-browser)

It is worth mentioning that most Vidar Stealer users are using installer services to spread the stealer, which was likely the case with the Vidar stealer infection in Ukraine reported by CERT-UA, where the user visited the fake Advanced IP Scanner landing page.

Vidar Stealer Panel Review

One of the main sections of the panel is Settings, where the threat actor can specify what additional information, they want to exfiltrate from the infected host including Telegram logs, cryptocurrency wallets, browser history and downloads, screenshots, Steam, and Discord logs (Figure 6).

Figure 6: Settings panel

The grabber module allows an attacker to harvest files under the following folders (Figure 7):

Figure 7: Grabber module

The stealer contains a non-resident loader module. There are two kinds of loaders that are commonly mentioned by Russian native speakers:

The loader module only supports .exe binaries that are grabbed from the URL the attacker specifies. The attacker can specify to which country the loader can be applied to (Figure 8).

Figure 8: Loader module

The stealer builder is constantly getting updated including the “Defender cleaning”, which means that the builder gets modified once a week, so Windows Defender is less likely to detect it (Figure 9).

Figure 9: Builder updates

The logs panel allows the malicious actor to easily navigate through logs and access them directly within the portal without having to download them to their machine (Figure 10).

Figure 10: Logs panel enabling attacker(s) to view the host information, screenshot and retrieved files directly in-browser

The Services section automatically parses the stolen data including banking information, SMTP, Cpanel and WordPress credentials (Figure 11).

Figure 11: Services section

Compromised credentials for Cpanel and WordPress can be bought and used by other malicious actor(s) to spread their malware via the drive-by downloads.

One of the main features of Vidar Stealer is that it provides malicious users an option to set up their own domains (Figures 12-13), which is known as “gasket” or “pads”.

Figure 12: Personal Domain Configuration Tab

Pads, or gaskets, is an intermediate server set for the stealer to communicate with as a Command and Control (C2) server and send the exfiltrated logs to. The standard ports for C2 communications are HTTP/80 and HTTPS/443.

The malicious actor can host the C2 server on Telegram or Mastodon as the pads. Telegram and Mastodon allow the user to change the IPs on the fly by editing the profile description. With Telegram, the malicious actor can create a channel and add the IP and port in the description, for example hello http://IP:80| (Figure 13).

Figure 13: Instruction on how to setup the personal pad

An example of an attacker’s Telegram C2 channel is shown in Figure 14.

Figure 14: Attacker's Telegram channel

Examples of Mastodon websites where an attacker can host their C2 include:

The scheme works the same way as for Mastadon; an attacker inputs their C2 IP into the profile description field as shown in Figure 15. The threat actors have also been using Steam and TikTok accounts to host the C2.

Figure 15: Attacker's C2 on the site running with Mastodon engine

Vidar Stealer Binary Review

Vidar Stealer binary is written in C++ programming language. The payload generated from Vidar Stealer Panel contains strings that are encoded with XOR keys. The XOR key is different for each string. In the binaries we have observed on clients’ environments (MD5: 810aa0d8faf41720af07153258c05b77), most payloads were using RC4 for string encryption.

We assume that the payloads with RC4 encryption are from the older version. The comparison of the decompiled codes containing the encoding/encryption functions for Vidar payload generated from the panel (on the left) and the one that we have observed on infected machines (on the right) (Figure 16).

Figure 16: Encoding/encryption from two Vidar samples

The second binary contains an embedded RC4 key as shown in Figure 17. The encrypted hex strings are base64-encoded.

Figure 17: Embedded RC4 key from the second payload

Interesting enough, both payloads still have unencrypted strings embedded in the payloads (Figure 18) including the cryptocurrency browser extensions and some crypto wallets, attacker’s C2, the text files generated from collecting the user’s browsing data, etc.

Figure 18: Plaintext strings observed in the second payload

We will proceed with the analysis of the payload generated from C2 panel with the builder version 55.6 which is the latest one at the time of writing the report. The payload we have observed on the infected hosts from the BatLoader campaign are on version 54.7.

There are two XOR-decryption tables in the binary, one is responsible for decrypting the API functions and sandbox name checks, the other table decrypts the rest of the stealer strings. In order to complete this analysis, we wrote a script to decrypt the strings within the stealer binary. The stealer searches for the cryptowallet extensions in Chrome browser and extracts the CURRENT file within the %appdatalocal%\Google\Chrome\User Data\Default\Local Extension Settings\<extension_name> directory (Figure 19).

Figure 19: XOR tables

Vidar is also enumerating JSON and wallet.dat files (Figure 20).

Figure 20: Function responsible for cryptowallet extension search

The JSON file is also known as Keystore file that stores the private key of the cryptowallet in an encrypted format. The wallet DAT file contains transaction information, key metadata, private & public keys, and can be in an unencrypted or encrypted format. If it is encrypted but protected with a weak password, the attacker may be able to crack it (Figure 21).

Figure 21: Cryptowallet search (wallet DAT files)

The list of cryptowallet extensions that Vidar attempts to steal:

Cryptowallet Name Browser Extension
TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn
BinanceChainWallet fhbohimaelbohpjbbldcngcnapndodjp
Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb
NiftyWallet jbdaocneiiinmjbjlgalhcelgbejmnid
MathWallet afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbcase hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUALWallet blnieiiffboillknjnepogjhkgnoapac
JaxxLiberty cjelfplplebdjjenllpjcblmjkfcffne
BitAppWallet fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet kncchdigobghenbbaddojjnnaogfppfj
Wombat amkmjjmmflddogmhpjloimipbofnfjih
MewCx / Enkrypt nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj
RoninWallet fnjhmkhhmkbjkkabndcnnogagogbneec
RoninWalletEdge kjmoohlgokccodicjjfebfomlbljgfhk
NeoLine cphhlgmgameodnhkjdmkpanlelnlohao
CloverWallet (CLV Wallet) nhnkbkgjikgcigadomkphalanndcapjk
LiqualityWallet kpfopkelmapcoipemfendmdcghnegimn
Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr dmkamcknogkgcdfhhbddcghachkejeap
Sollet fhmfendgdocmcbmfikdcogofphimnkno
AuroWallet cnmamaachppnkjgnildpdmkaakejnhae
PolymeshWallet jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex flpiciilemghbmfalicajoolhkkenfel
Harmony fnnegphlobjdpkhecapkijjdkgcjhkib
Coin98 aeachknmefphepccionboohckonoeemg
EVER Wallet cgeeodpfagjceefieflmdfphplkenlfk
KardiaChain pdadjkfkgcafgbceimcpbkalnfnepbnk
Rabby acmacodkjbdgmoleebolmdjonilkdbch
Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa
Brave Wallet odbfpeeihdkbihmopkbjmoonfanlbfcl
MetaMask ejbalbakoplchlghecdalmeeeajnimhm
Oxygen (Atomic) fhilaheimglignddkjgofkcbgekhenbh
PaliWallet mgffkfbidihjpoaomajlbgchddlicgpn
BoltX aodkkagnadcbobfpggfnjeongemjbjca
XdefiWallet hmeobnfnfcmdkdcmlblgagmfpfboieaf
NamiWallet lpfcbjknijpeeillifnkikgncikgfhdo
MaiarDeFiWallet dngmlblcodfobpdpecaadgfbcggfjfnm
WavesKeeper lpilbniiabackdjcionkobglmddfbcjo
Solflare bhhhlbepdkbapadjdnnojkbgioiodbic
CyanoWallet dkdedlpgdmmkkfjabffeganieamfklkm
KHC hcflpincpppdclinealmandijcmnkbgn
TezBox mnfifefkajgofkcjkemidiaecocnkjeh
Temple ookjlbkiijinhpmnjffcofjonbfbgaoc
Goby jnkelfanjkeadonecabehalmbgpfodjm

Additionally, the stealer grabs the leveldb files and wallet folder for Jaxx, Daedalus Mainnet, Wasabi, Blockstream, Dogecoin, Binance, Ravencoin, and Ledger Live cryptowallets.

For Mozilla Firefox password decryption process, the stealer looks for files such as cookies.sqlite, formhistory.sqlite, logins.json, and places.sqlite:

If cookies.sqlite is found, the stealer then proceeds to use SQLite to extract the cookies using the query SELECT host, isHttpOnly, path, isSecure, expiry, name, and value FROM moz_cookies (moz_cookies table contains the cookie information) (Figure 22).

Figure 22: Extracting the cookies

Then, it will proceed to look for formhistory.sqlite and if the latest was found, the stealer starts extracting the Autofill data using SQLite functions and outputs the data in a text file for exfiltration (Figure 23).

Figure 23: The stealer proceeds with extracting the Autofill data if the form.sqlite is found

After successfully decrypting the password, Vidar stealer appends the “Soft:” (Browser name) and “Host:” (domain) fields to the text file along with extracted logins and passwords.

For logins.json, the stealer calls NSS_Init() function that initializes the NSS library and extracts the parameters such as encryptedUsername, encryptedPassword, formSubmitURL. The stealer then proceeds with decrypting the fields using the NSS library cryptography functions such as PK11SDR_Decrypt, PK11_GetInternalKeySlot and PK11_Authenticate (Figure 24).

Figure 24: Decrypting the encrypted data within logins.json

To extract browsing history, the stealer utilizes the query SELECT url FROM moz_places (moz_tables contain the list of the URLs that the user visited). After successfully extracting the browsing data, the stealer appends them to a History.txt file (Figure 25).

Figure 25: Extracting the browsing data

It’s worth noting that prior to decrypting the browser credentials, cookies and extracting sensitive information, the stealer looks for profiles.ini file under %appdata%\mozilla\firefox\profiles\ (Mozilla Firefox), %appdata%\Moonchild Productions\Pale Moon\Profiles\ (Pale Moon), %appdata%\Thunderbird\Profiles\ (Thunderbird). The .INI file contains the information of user profiles. Vidar stealer then gets the DLL dependencies such as vcruntime140.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, and freebl3.dll (Figure 26).

Figure 26: Getting the profile.ini and DLL dependencies

Most stealers require the mentioned dependencies to function properly. You can refer to our blog on Mars Stealer to read about the DLLs mentioned. The DLL dependencies are downloaded from the C2 server within the ZIP archive, the ZIP archive name contains 19 random hexadecimal numbers and is extracted to ProgramData folder. Please note that the ZIP archive can also contain the name “update.zip” if the threat actor decides to set up and host their personal panel.

To extract FileZilla credentials, the stealer reads the recentservers.xml file on the host. The passwords are base64-encoded, so all the threat actor needs to do is to decode them to cleartext to further abuse the victims accounts. FileZilla stores credentials in two places, recentservers.xml saves the credentials that were entered via the quick connect bar, sitemanager.xml saves the credentials that were configured within the site manager. After successfully extracting the credentials, the data will be saved in the format:

Soft: FileZilla

Host: :port

Login:

Password:

The stealer also retrieves sensitive files from Authy Desktop (two-factor authentication application) such as .log, MAFINEST, LOG, LOCK and CURRENT files under the path AppData\Roaming\Authy Desktop\Local Storage\leveldb and copies them to the Soft\Authy Desktop folder that will be archived to be sent to the attacker. Besides Authy Desktop, the stealer also exfiltrates data from Google Authenticator browser extension, EOS Authenticator, and GAuth Authenticator (Figure 27).

Figure 27: Vidar Stealer extracts Authy Desktop sensitive data

Vidar will exfiltrate data from Telegram, Discord, Chrome, and Steam in the following manners:

With the version 56.1, Vidar also added data exfiltration for Signal Messenger.

As previously mentioned, Vidar Stealer has a loader module that allows a malicious actor to push additional malware on the machine. The additional malware retrieved from a C2 with the help of a loader module will be placed under ProgramData folder.

First, the stealer checks if the URL to retrieve the payload is up and running (status code 200). If the link is valid, the malware writes the secondary payload to the host and if not the stealer sleeps for 1000 milliseconds (Figure 28).

Figure 28: Loader module

The emulation check is also present within the Vidar Stealer binary. The binary retrieves the name of the local computer and the username and if it matches “HAL9TH” or “JohnDoe” strings accordingly, the binary will exit. The mentioned values are used by Windows Defender emulator (Figure 29).

Figure 29: Emulation check

The stealer exfiltrates WinSCP credentials via looking up the Sessions value name under HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions. But first, it checks if the user is using Master Password for WinSCP, if not then it proceeds with extracting the username and encrypted password values. The decrypting function and function responsible for extracting WinSCP credentials are shown in Figure 30.

Figure 30: Extracting WinSCP Sessions data and decrypting the passwords

The stealer is not able to decrypt the passwords if WinSCP is protected with a master password and will then only be able to extract usernames.

Credit card information can also be extracted from browsers via SQLite functions. For example, the stealer would look for \AppData\Local\Google\Chrome\User Data\Default\Web Data path and extracts the credit card information with the query SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, then it calls the functions BCryptDecrypt and CryptUnprotectData to decrypt the data.

Besides the sensitive data exfiltration, the stealer also gathers the host information including:

Figure 31: HWID calculation

The host information also contains the path where the stealer was executed, such as the OS version, computer name, username, display resolution, display language, keyboard languages, local time, time zone, hardware information, running processes and list of software installed on the host (Figure 32).

Figure 32: Gathered host information that is sent out to C2

Vidar Stealer 3.6-3.7 Update

Starting from version 3.6, which was released in April 2023, Vidar users can generate builds with embedded DLL dependencies. This has increased the size of the builds to 2.9MB, but it means that the DLL dependencies no longer need to be retrieved from the C2 server. Instead, the ZIP archive containing the dependencies is already embedded within the executable.

This reduces the amount of suspicious activity on the network traffic. After extracting the DLLs, they will be placed under C:\ProgramData folder. Vidar users now also have the option to disable the self-deletion feature for the stealer after successful execution, starting from update 3.7.

Figure 33: Vidar Stealer updates
Figure 34: Embedded ZIP archive with DLL dependencies within the executable

With the latest build, the threat actor also switched from using XOR to using RC4 encryption with a hardcoded key in the binary.

Figure 35: Hardcoded RC4 key

We wrote the IDAPython string decryption script for the latest Vidar Stealer build as well as the configuration extractor script.

Vidar Stealer C2 Communication

As mentioned before, Vidar Stealer uses HTTP/HTTPs for C2 communication. First, the infected machine receives the ZIP archive from the C2 that contains DLL dependencies. The dependencies are extracted under ProgramData folder.

The stealer configuration is also shown in the PCAP below (Figure 33). The configuration includes the grabber parameters. In our example, the stealer exfiltrates the .txt files under Documents folder and excludes ‘movies:music:mp3’. 50 (KB) is the maximum size of the file that stealer grabs.

Figure 36: Stealer configuration

The exfiltrated data is compressed in a ZIP archive and base64-encoded (Figure 37 in red). The POST data also contains the profile value and profile ID which are hardcoded within the binary and the token value (Figure 37).

Figure 37: POST data including the exfiltrated data

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Vidar Stealer malware:

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Yara Rule

rule Vidar_DLL_embedded {
    meta:
        author = "eSentire Threat Intelligence"
        description = "Vidar Stealer with embedded DLL dependencies" 
        date = "5/2/2023"
    strings:
        $s = {50 4B 03 04 14 00 00 00 08 00 24 56 25 55 2B 6D 5C 08 39 7C 05}
        $a1 = "https://t.me/mastersbots"
        $a2 = "https://steamcommunity.com/profiles/76561199501059503"
        $a3 = "%s\\%s\\Local Storage\\leveldb"
        $a4 = "\\Autofill\\%s_%s.txt"
        $a5 = "\\Downloads\\%s_%s.txt"
        $a6 = "\\CC\\%s_%s.txt"
        $a7 = "Exodus\\exodus.wallet"
    condition:
        $s and 5 of ($a*) 
}

Indicators of Compromise

Name Indicators
Vidar Stealer payload 810aa0d8faf41720af07153258c05b77
C2 95.217.27[.]240
C2 88.198.89[.]6
C2 168.119.167[.]188
C2 78.46.160[.]87
Vidar Stealer payload 783597870319e8fc1c818c5f13e28a0d

MITRE ATT&CK

MITRE ATT&CK Tactic

ID

MITRE ATT&CK Technique

Description

MITRE ATT&CK Tactic

Initial Access

ID

T1189

MITRE ATT&CK Technique

Drive-by Compromise

Description

Vidar Stealer is delivered via malicious websites hosting the fake cracked or pirated software.

MITRE ATT&CK Tactic

User Execution

ID

T1204.002

MITRE ATT&CK Technique

Malicious File

Description

The user launches the malicious file

MITRE ATT&CK Tactic

Virtualization/Sandbox Evasion

ID

T1497.001

MITRE ATT&CK Technique

System Checks

Description

The stealer performs checks on “HAL9TH” or “JohnDoe” usernames that are used by Windows Defender emulator

MITRE ATT&CK Tactic

Defense Evasion

ID

T1070.004

MITRE ATT&CK Technique

Indicator RemovalFile Deletion

Description

Vidar Stealer deletes itself from the machine after successful execution.

MITRE ATT&CK Tactic

Credential Access

ID

T1555

T1555.003

MITRE ATT&CK Technique

Indicator RemovalFile Deletion

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Description

Vidar Stealer steals sensitive data from browsers including credentials, cookies and saved credit cards. It also steals SMTP, WordPress and FTP credentials.

MITRE ATT&CK Tactic

Discovery

ID

T1033

T1518

T1057

T1614.001

T1082

MITRE ATT&CK Technique

System Owner/User Discovery

Software Discovery

Process Discovery

System Location Discovery: System Language Discovery

System Information Discovery

Description

The stealer enumerates the host for the username and hardware information, running processes and installed applications as well as keyboard and display languages.

MITRE ATT&CK Tactic

Collection

ID

T1113

MITRE ATT&CK Technique

Screen Capture

Description

The stealer takes the screenshot from the infected machine and sends it to the C2.

MITRE ATT&CK Tactic

Exfiltration

ID

T1020

MITRE ATT&CK Technique

Automated Exfiltration

Description

The stealer automatically exfiltrates the gathered files to C2, some file grabbing options can be customized by an attacker.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire