eSentire Threat Intelligence Malware Analysis: Vidar Stealer

Vidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of 2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a malicious webpage and unknowingly downloads the malware payload. In comparison to other infostealers, Vidar Stealer has a significantly higher subscription price largely due to its successful infection rate (above 75%) and the fact that new domains for the payloads are renewed in 3-4 days.

This malware analysis delves deeper into the technical details of how the Vidar Stealer malware operates and our security recommendations to protect your organization from being exploited.

Case Study: Vidar Stealer

eSentire Threat Response Unit (TRU) has observed numerous Vidar infections in enterprise software, Retail, Business Services, and Real Estate industries. We have also observed the stealer being delivered in a BatLoader campaign upon successful infection. The stealer is also capable of deleting itself after the infection.

The first mention of the stealer appeared on hacking forums at the end of 2018 (Figure 1).

The Vidar Stealer subscription price is significantly higher than other stealers such as Redline, Mars Stealer and Raccoon Stealer (Figure 2).

In a forum post, the malware author explained the high subscription price due to multiple features that include:

• The successful infection rate (successful log delivery), which is also commonly called as “otstuk” (“отстук”) among native Russian speakers, is above 75%.
• New domains for the builders (payloads) are renewed once in 3-4 days with the previous ones remaining intact.

The feature of the stealer generating and hosting their own domains/IPs for the builders makes it very convenient for the buyers as there is no need to spin up a VPS server and maintain it to receive the logs compared to other stealers.

Vidar Stealer is commonly confused as a variant of Arkei Stealer due to the code similarities but the developer claims that Arkei and Vidar are not related to each other. In December 2022, based on the Dark Web marketing known as ‘Russianmarket’, Vidar Stealer was the second most used Stealer on the Dark Web, with Redline Stealer being the number one stealer (Figure 3).

All the stolen logs are then sent to the Admin panel that is browser-based. The end-user would need an invitation code to register and purchase the subscription without directly interacting with the seller on Telegram (Figure 4).

Vidar Stealer spreads through drive-by downloads – users visit the website hosting a malicious stealer payload; typically it’s a fake cracked software or fake installers. The stealer also uses GitHub as a repository to host the payloads. That way the attacker(s) will receive the direct link to the payload file that they can send over to installer bots/providers (services that provide the mass spreading of the payload) (Figure 5).

It is worth mentioning that most Vidar Stealer users are using installer services to spread the stealer, which was likely the case with the Vidar stealer infection in Ukraine reported by CERT-UA, where the user visited the fake Advanced IP Scanner landing page.

Vidar Stealer Panel Review

One of the main sections of the panel is Settings, where the threat actor can specify what additional information, they want to exfiltrate from the infected host including Telegram logs, cryptocurrency wallets, browser history and downloads, screenshots, Steam, and Discord logs (Figure 6).

The grabber module allows an attacker to harvest files under the following folders (Figure 7):

• %DESKTOP%
• C:\Users\<username>\Documents
• %DRIVE_FIXED% (all drives on the machine)
• %DRIVE_REMOVABLE% (removable drives)
• %USERPROFILE%
• %APPDATA%
• %LOCALAPPDATA%
• C:\Program Files (x86)
• C:\Program Files
• C:\Users\<username>\Recent

The stealer contains a non-resident loader module. There are two kinds of loaders that are commonly mentioned by Russian native speakers:

• Non-resident loader – the loader deletes itself after successful infection.
• Resident loader – upon starting, the loader creates the persistence on the infected host via Registry Run Keys, Startup folder, and service creation.

The loader module only supports .exe binaries that are grabbed from the URL the attacker specifies. The attacker can specify to which country the loader can be applied to (Figure 8).

The stealer builder is constantly getting updated including the “Defender cleaning”, which means that the builder gets modified once a week, so Windows Defender is less likely to detect it (Figure 9).

The logs panel allows the malicious actor to easily navigate through logs and access them directly within the portal without having to download them to their machine (Figure 10).

The Services section automatically parses the stolen data including banking information, SMTP, Cpanel and WordPress credentials (Figure 11).

Compromised credentials for Cpanel and WordPress can be bought and used by other malicious actor(s) to spread their malware via the drive-by downloads.

One of the main features of Vidar Stealer is that it provides malicious users an option to set up their own domains (Figures 12-13), which is known as “gasket” or “pads”.

Pads, or gaskets, is an intermediate server set for the stealer to communicate with as a Command and Control (C2) server and send the exfiltrated logs to. The standard ports for C2 communications are HTTP/80 and HTTPS/443.

The malicious actor can host the C2 server on Telegram or Mastodon as the pads. Telegram and Mastodon allow the user to change the IPs on the fly by editing the profile description. With Telegram, the malicious actor can create a channel and add the IP and port in the description, for example hello http://IP:80| (Figure 13).

An example of an attacker’s Telegram C2 channel is shown in Figure 14.

Examples of Mastodon websites where an attacker can host their C2 include:

• https://c.im/
• https://indieweb.social/
• https://busshi.moe/
• https://koyu.space/
• https://mastodon.online/
• https://ioc.exchange/
• https://nerdculture.de/

The scheme works the same way as for Mastadon; an attacker inputs their C2 IP into the profile description field as shown in Figure 15. The threat actors have also been using Steam and TikTok accounts to host the C2.

Vidar Stealer Binary Review

Vidar Stealer binary is written in C++ programming language. The payload generated from Vidar Stealer Panel contains strings that are encoded with XOR keys. The XOR key is different for each string. In the binaries we have observed on clients’ environments (MD5: 810aa0d8faf41720af07153258c05b77), most payloads were using RC4 for string encryption.

We assume that the payloads with RC4 encryption are from the older version. The comparison of the decompiled codes containing the encoding/encryption functions for Vidar payload generated from the panel (on the left) and the one that we have observed on infected machines (on the right) (Figure 16).

The second binary contains an embedded RC4 key as shown in Figure 17. The encrypted hex strings are base64-encoded.

Interesting enough, both payloads still have unencrypted strings embedded in the payloads (Figure 18) including the cryptocurrency browser extensions and some crypto wallets, attacker’s C2, the text files generated from collecting the user’s browsing data, etc.

We will proceed with the analysis of the payload generated from C2 panel with the builder version 55.6 which is the latest one at the time of writing the report. The payload we have observed on the infected hosts from the BatLoader campaign are on version 54.7.

There are two XOR-decryption tables in the binary, one is responsible for decrypting the API functions and sandbox name checks, the other table decrypts the rest of the stealer strings. In order to complete this analysis, we wrote a script to decrypt the strings within the stealer binary. The stealer searches for the cryptowallet extensions in Chrome browser and extracts the CURRENT file within the %appdatalocal%\Google\Chrome\User Data\Default\Local Extension Settings\<extension_name> directory (Figure 19).

Vidar is also enumerating JSON and wallet.dat files (Figure 20).

The JSON file is also known as Keystore file that stores the private key of the cryptowallet in an encrypted format. The wallet DAT file contains transaction information, key metadata, private & public keys, and can be in an unencrypted or encrypted format. If it is encrypted but protected with a weak password, the attacker may be able to crack it (Figure 21).

The list of cryptowallet extensions that Vidar attempts to steal:

Additionally, the stealer grabs the leveldb files and wallet folder for Jaxx, Daedalus Mainnet, Wasabi, Blockstream, Dogecoin, Binance, Ravencoin, and Ledger Live cryptowallets.

For Mozilla Firefox password decryption process, the stealer looks for files such as cookies.sqlite, formhistory.sqlite, logins.json, and places.sqlite:

• Cookies.sqlite – stores the cookies.
• Formhistory.sqlite – stores the forms that the user has entered webpages.
• Logins.json – stores the encrypted usernames and passwords.
• Places.sqlite – stores the bookmarks, browsing history and keywords.

If cookies.sqlite is found, the stealer then proceeds to use SQLite to extract the cookies using the query SELECT host, isHttpOnly, path, isSecure, expiry, name, and value FROM moz_cookies (moz_cookies table contains the cookie information) (Figure 22).

Then, it will proceed to look for formhistory.sqlite and if the latest was found, the stealer starts extracting the Autofill data using SQLite functions and outputs the data in a text file for exfiltration (Figure 23).

After successfully decrypting the password, Vidar stealer appends the “Soft:” (Browser name) and “Host:” (domain) fields to the text file along with extracted logins and passwords.

For logins.json, the stealer calls NSS_Init() function that initializes the NSS library and extracts the parameters such as encryptedUsername, encryptedPassword, formSubmitURL. The stealer then proceeds with decrypting the fields using the NSS library cryptography functions such as PK11SDR_Decrypt, PK11_GetInternalKeySlot and PK11_Authenticate (Figure 24).

To extract browsing history, the stealer utilizes the query SELECT url FROM moz_places (moz_tables contain the list of the URLs that the user visited). After successfully extracting the browsing data, the stealer appends them to a History.txt file (Figure 25).

It’s worth noting that prior to decrypting the browser credentials, cookies and extracting sensitive information, the stealer looks for profiles.ini file under %appdata%\mozilla\firefox\profiles\ (Mozilla Firefox), %appdata%\Moonchild Productions\Pale Moon\Profiles\ (Pale Moon), %appdata%\Thunderbird\Profiles\ (Thunderbird). The .INI file contains the information of user profiles. Vidar stealer then gets the DLL dependencies such as vcruntime140.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, and freebl3.dll (Figure 26).

Most stealers require the mentioned dependencies to function properly. You can refer to our blog on Mars Stealer to read about the DLLs mentioned. The DLL dependencies are downloaded from the C2 server within the ZIP archive, the ZIP archive name contains 19 random hexadecimal numbers and is extracted to ProgramData folder. Please note that the ZIP archive can also contain the name “update.zip” if the threat actor decides to set up and host their personal panel.

To extract FileZilla credentials, the stealer reads the recentservers.xml file on the host. The passwords are base64-encoded, so all the threat actor needs to do is to decode them to cleartext to further abuse the victims accounts. FileZilla stores credentials in two places, recentservers.xml saves the credentials that were entered via the quick connect bar, sitemanager.xml saves the credentials that were configured within the site manager. After successfully extracting the credentials, the data will be saved in the format:

The stealer also retrieves sensitive files from Authy Desktop (two-factor authentication application) such as .log, MAFINEST, LOG, LOCK and CURRENT files under the path AppData\Roaming\Authy Desktop\Local Storage\leveldb and copies them to the Soft\Authy Desktop folder that will be archived to be sent to the attacker. Besides Authy Desktop, the stealer also exfiltrates data from Google Authenticator browser extension, EOS Authenticator, and GAuth Authenticator (Figure 27).

Vidar will exfiltrate data from Telegram, Discord, Chrome, and Steam in the following manners:

• Telegram: Vidar Stealer exfiltrates the files such as key_datas, maps, A7FDF864FBC10B77, A92DAA6EA6F891F2, F8806DD0C461824F (Telegram encrypted data files) from AppData\Roaming\Telegram Desktop\tdata folder. The attacker can then attempt to decrypt the files and extract sensitive information. The exfiltrated data is written to \Soft\Telegram\ folder.
• Discord: The stealer retrieves the files under AppData\Roaming\discord\Local Storage\leveldb and AppData\Roaming\discord\Session Storage\leveldb then it attempts to extract Discord tokens that will be written to \Soft\Discord\discord_tokens.txt.
• Chrome: In order to decrypt credentials saved in Chrome, the stealer retrieves the AES encrypted key (encrypted_key) in Google\Chrome\User Data\Local State.
• Steam: The stealer queries the registry value SteamPath under HKEY_CURRENT_USER\Software\Valve\Steam to obtain the full path to Steam on the machine. Then it starts retrieving SSFN, config.vdf, DialogConfig.vdf, DialogConfigOverlay.vdf, libraryfolders.vdf, loginusers.vdf files that contain sensitive information. By obtaining the SSNF files, the attacker can bypass Steam Guard and get the full access to the account, considering that an attacker was able to obtain user’s credentials.

With the version 56.1, Vidar also added data exfiltration for Signal Messenger.

As previously mentioned, Vidar Stealer has a loader module that allows a malicious actor to push additional malware on the machine. The additional malware retrieved from a C2 with the help of a loader module will be placed under ProgramData folder.

First, the stealer checks if the URL to retrieve the payload is up and running (status code 200). If the link is valid, the malware writes the secondary payload to the host and if not the stealer sleeps for 1000 milliseconds (Figure 28).

The emulation check is also present within the Vidar Stealer binary. The binary retrieves the name of the local computer and the username and if it matches “HAL9TH” or “JohnDoe” strings accordingly, the binary will exit. The mentioned values are used by Windows Defender emulator (Figure 29).

The stealer exfiltrates WinSCP credentials via looking up the Sessions value name under HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions. But first, it checks if the user is using Master Password for WinSCP, if not then it proceeds with extracting the username and encrypted password values. The decrypting function and function responsible for extracting WinSCP credentials are shown in Figure 30.

The stealer is not able to decrypt the passwords if WinSCP is protected with a master password and will then only be able to extract usernames.

Credit card information can also be extracted from browsers via SQLite functions. For example, the stealer would look for \AppData\Local\Google\Chrome\User Data\Default\Web Data path and extracts the credit card information with the query SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, then it calls the functions BCryptDecrypt and CryptUnprotectData to decrypt the data.

Besides the sensitive data exfiltration, the stealer also gathers the host information including:

• MachineID – the stealer locates the value under SOFTWARE\Microsoft\Cryptography\MachineGuid
• GUID – GUID is retrieved from calling the function GetCurrentHwProfileA which receives the information about the hardware profile)
• HWID – Figure 31 shows how the first 12 hexadecimal values are calculated based on the Volume Serial Number that is retrieved via the GetVolumeInformationA function. Later the stealer appends 10 digits to it, and part of the GUID and MachineID values are also added to the HWID which makes it unique to each infected host

The host information also contains the path where the stealer was executed, such as the OS version, computer name, username, display resolution, display language, keyboard languages, local time, time zone, hardware information, running processes and list of software installed on the host (Figure 32).

Vidar Stealer 3.6-3.7 Update

Starting from version 3.6, which was released in April 2023, Vidar users can generate builds with embedded DLL dependencies. This has increased the size of the builds to 2.9MB, but it means that the DLL dependencies no longer need to be retrieved from the C2 server. Instead, the ZIP archive containing the dependencies is already embedded within the executable.

This reduces the amount of suspicious activity on the network traffic. After extracting the DLLs, they will be placed under C:\ProgramData folder. Vidar users now also have the option to disable the self-deletion feature for the stealer after successful execution, starting from update 3.7.

With the latest build, the threat actor also switched from using XOR to using RC4 encryption with a hardcoded key in the binary.

We wrote the IDAPython string decryption script for the latest Vidar Stealer build as well as the configuration extractor script.

Vidar Stealer C2 Communication

As mentioned before, Vidar Stealer uses HTTP/HTTPs for C2 communication. First, the infected machine receives the ZIP archive from the C2 that contains DLL dependencies. The dependencies are extracted under ProgramData folder.

The stealer configuration is also shown in the PCAP below (Figure 33). The configuration includes the grabber parameters. In our example, the stealer exfiltrates the .txt files under Documents folder and excludes ‘movies:music:mp3’. 50 (KB) is the maximum size of the file that stealer grabs.

The exfiltrated data is compressed in a ZIP archive and base64-encoded (Figure 37 in red). The POST data also contains the profile value and profile ID which are hardcoded within the binary and the token value (Figure 37).

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Performing global threat hunts for indicators associated with Vidar Stealer.

• Implementing threat detections to identify malicious command execution and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against Vidar Stealer malware:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Implement a Cyber Phishing and Security Awareness Training (PSAT) Program that educates and informs your employees on emerging threats in the threat landscape.
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where it’s applicable.

While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://cert.gov.ua/article/2724253
• https://twitter.com/ankit_anubhav/status/1588073956606550018?s=20&t=cEI8GPRjfTd4FYqbzi3pWA
• https://twitter.com/ankit_anubhav/status/1595664080479535104?s=46&t=agmu8eh2vry7HB3A78Ga5Q
• https://github.com/RussianPand...
• https://twitter.com/crep1x/status/1593360365240389633?s=20&t=DADIky1LQTUvElJ2ZfnYcA
• https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer
• https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcurrenthwprofilea
• https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getvolumeinformationa
• https://github.com/RussianPanda95/IDAPython/blob/main/Vidar/Vidar_Stealer_3.7_RC4_string_decryption.py
• https://github.com/RussianPand...

Yara Rule

rule Vidar_DLL_embedded {
    meta:
        author = "eSentire Threat Intelligence"
        description = "Vidar Stealer with embedded DLL dependencies" 
        date = "5/2/2023"
    strings:
        $s = {50 4B 03 04 14 00 00 00 08 00 24 56 25 55 2B 6D 5C 08 39 7C 05}
        $a1 = "https://t.me/mastersbots"
        $a2 = "https://steamcommunity.com/profiles/76561199501059503"
        $a3 = "%s\\%s\\Local Storage\\leveldb"
        $a4 = "\\Autofill\\%s_%s.txt"
        $a5 = "\\Downloads\\%s_%s.txt"
        $a6 = "\\CC\\%s_%s.txt"
        $a7 = "Exodus\\exodus.wallet"
    condition:
        $s and 5 of ($a*) 
}

Indicators of Compromise

MITRE ATT&CK