Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Vidar Stealer is an information stealer (infostealer) malware that first appeared on hacking forums at the end of 2018. It’s typically spread through the use of drive-by social engineering techniques wherein the victim visits a malicious webpage and unknowingly downloads the malware payload. In comparison to other infostealers, Vidar Stealer has a significantly higher subscription price largely due to its successful infection rate (above 75%) and the fact that new domains for the payloads are renewed in 3-4 days.
This malware analysis delves deeper into the technical details of how the Vidar Stealer malware operates and our security recommendations to protect your organization from being exploited.
eSentire Threat Response Unit (TRU) has observed numerous Vidar infections in enterprise software, Retail, Business Services, and Real Estate industries. We have also observed the stealer being delivered in a BatLoader campaign upon successful infection. The stealer is also capable of deleting itself after the infection.
The first mention of the stealer appeared on hacking forums at the end of 2018 (Figure 1).
The Vidar Stealer subscription price is significantly higher than other stealers such as Redline, Mars Stealer and Raccoon Stealer (Figure 2).
In a forum post, the malware author explained the high subscription price due to multiple features that include:
The feature of the stealer generating and hosting their own domains/IPs for the builders makes it very convenient for the buyers as there is no need to spin up a VPS server and maintain it to receive the logs compared to other stealers.
Vidar Stealer is commonly confused as a variant of Arkei Stealer due to the code similarities but the developer claims that Arkei and Vidar are not related to each other. In December 2022, based on the Dark Web marketing known as ‘Russianmarket’, Vidar Stealer was the second most used Stealer on the Dark Web, with Redline Stealer being the number one stealer (Figure 3).
All the stolen logs are then sent to the Admin panel that is browser-based. The end-user would need an invitation code to register and purchase the subscription without directly interacting with the seller on Telegram (Figure 4).
Vidar Stealer spreads through drive-by downloads – users visit the website hosting a malicious stealer payload; typically it’s a fake cracked software or fake installers. The stealer also uses GitHub as a repository to host the payloads. That way the attacker(s) will receive the direct link to the payload file that they can send over to installer bots/providers (services that provide the mass spreading of the payload) (Figure 5).
It is worth mentioning that most Vidar Stealer users are using installer services to spread the stealer, which was likely the case with the Vidar stealer infection in Ukraine reported by CERT-UA, where the user visited the fake Advanced IP Scanner landing page.
One of the main sections of the panel is Settings, where the threat actor can specify what additional information, they want to exfiltrate from the infected host including Telegram logs, cryptocurrency wallets, browser history and downloads, screenshots, Steam, and Discord logs (Figure 6).
The grabber module allows an attacker to harvest files under the following folders (Figure 7):
The stealer contains a non-resident loader module. There are two kinds of loaders that are commonly mentioned by Russian native speakers:
The loader module only supports .exe binaries that are grabbed from the URL the attacker specifies. The attacker can specify to which country the loader can be applied to (Figure 8).
The stealer builder is constantly getting updated including the “Defender cleaning”, which means that the builder gets modified once a week, so Windows Defender is less likely to detect it (Figure 9).
The logs panel allows the malicious actor to easily navigate through logs and access them directly within the portal without having to download them to their machine (Figure 10).
The Services section automatically parses the stolen data including banking information, SMTP, Cpanel and WordPress credentials (Figure 11).
Compromised credentials for Cpanel and WordPress can be bought and used by other malicious actor(s) to spread their malware via the drive-by downloads.
One of the main features of Vidar Stealer is that it provides malicious users an option to set up their own domains (Figures 12-13), which is known as “gasket” or “pads”.
Pads, or gaskets, is an intermediate server set for the stealer to communicate with as a Command and Control (C2) server and send the exfiltrated logs to. The standard ports for C2 communications are HTTP/80 and HTTPS/443.
The malicious actor can host the C2 server on Telegram or Mastodon as the pads. Telegram and Mastodon allow the user to change the IPs on the fly by editing the profile description. With Telegram, the malicious actor can create a channel and add the IP and port in the description, for example hello http://IP:80| (Figure 13).
An example of an attacker’s Telegram C2 channel is shown in Figure 14.
Examples of Mastodon websites where an attacker can host their C2 include:
The scheme works the same way as for Mastadon; an attacker inputs their C2 IP into the profile description field as shown in Figure 15. The threat actors have also been using Steam and TikTok accounts to host the C2.
Vidar Stealer binary is written in C++ programming language. The payload generated from Vidar Stealer Panel contains strings that are encoded with XOR keys. The XOR key is different for each string. In the binaries we have observed on clients’ environments (MD5: 810aa0d8faf41720af07153258c05b77), most payloads were using RC4 for string encryption.
We assume that the payloads with RC4 encryption are from the older version. The comparison of the decompiled codes containing the encoding/encryption functions for Vidar payload generated from the panel (on the left) and the one that we have observed on infected machines (on the right) (Figure 16).
The second binary contains an embedded RC4 key as shown in Figure 17. The encrypted hex strings are base64-encoded.
Interesting enough, both payloads still have unencrypted strings embedded in the payloads (Figure 18) including the cryptocurrency browser extensions and some crypto wallets, attacker’s C2, the text files generated from collecting the user’s browsing data, etc.
We will proceed with the analysis of the payload generated from C2 panel with the builder version 55.6 which is the latest one at the time of writing the report. The payload we have observed on the infected hosts from the BatLoader campaign are on version 54.7.
There are two XOR-decryption tables in the binary, one is responsible for decrypting the API functions and sandbox name checks, the other table decrypts the rest of the stealer strings. In order to complete this analysis, we wrote a script to decrypt the strings within the stealer binary. The stealer searches for the cryptowallet extensions in Chrome browser and extracts the CURRENT file within the %appdatalocal%\Google\Chrome\User Data\Default\Local Extension Settings\<extension_name> directory (Figure 19).
Vidar is also enumerating JSON and wallet.dat files (Figure 20).
The JSON file is also known as Keystore file that stores the private key of the cryptowallet in an encrypted format. The wallet DAT file contains transaction information, key metadata, private & public keys, and can be in an unencrypted or encrypted format. If it is encrypted but protected with a weak password, the attacker may be able to crack it (Figure 21).
The list of cryptowallet extensions that Vidar attempts to steal:
Cryptowallet Name | Browser Extension |
TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec |
MetaMask | nkbihfbeogaeaoehlefnkodbefgpgknn |
BinanceChainWallet | fhbohimaelbohpjbbldcngcnapndodjp |
Yoroi | ffnbelfdoeiohenkjibnmadjiehjhajb |
NiftyWallet | jbdaocneiiinmjbjlgalhcelgbejmnid |
MathWallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
Coinbcase | hnfanknocfeofbddgcijnmhnfnkdnaad |
Guarda | hpglfhgfnhbgpjdenjgmdgoeiappafln |
EQUALWallet | blnieiiffboillknjnepogjhkgnoapac |
JaxxLiberty | cjelfplplebdjjenllpjcblmjkfcffne |
BitAppWallet | fihkakfobkmkjojpchpfgcmhfjnmnfpi |
iWallet | kncchdigobghenbbaddojjnnaogfppfj |
Wombat | amkmjjmmflddogmhpjloimipbofnfjih |
MewCx / Enkrypt | nlbmnnijcnlegkjjpcfjclmcfggfefdm |
GuildWallet | nanjmdknhkinifnkgdcggcfnhdaammmj |
RoninWallet | fnjhmkhhmkbjkkabndcnnogagogbneec |
RoninWalletEdge | kjmoohlgokccodicjjfebfomlbljgfhk |
NeoLine | cphhlgmgameodnhkjdmkpanlelnlohao |
CloverWallet (CLV Wallet) | nhnkbkgjikgcigadomkphalanndcapjk |
LiqualityWallet | kpfopkelmapcoipemfendmdcghnegimn |
Terra Station | aiifbnbfobpmeekipheeijimdpnlpgpp |
Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
Sollet | fhmfendgdocmcbmfikdcogofphimnkno |
AuroWallet | cnmamaachppnkjgnildpdmkaakejnhae |
PolymeshWallet | jojhfeoedkpkglbfimdfabpdfjaoolaf |
ICONex | flpiciilemghbmfalicajoolhkkenfel |
Harmony | fnnegphlobjdpkhecapkijjdkgcjhkib |
Coin98 | aeachknmefphepccionboohckonoeemg |
EVER Wallet | cgeeodpfagjceefieflmdfphplkenlfk |
KardiaChain | pdadjkfkgcafgbceimcpbkalnfnepbnk |
Rabby | acmacodkjbdgmoleebolmdjonilkdbch |
Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
Brave Wallet | odbfpeeihdkbihmopkbjmoonfanlbfcl |
MetaMask | ejbalbakoplchlghecdalmeeeajnimhm |
Oxygen (Atomic) | fhilaheimglignddkjgofkcbgekhenbh |
PaliWallet | mgffkfbidihjpoaomajlbgchddlicgpn |
BoltX | aodkkagnadcbobfpggfnjeongemjbjca |
XdefiWallet | hmeobnfnfcmdkdcmlblgagmfpfboieaf |
NamiWallet | lpfcbjknijpeeillifnkikgncikgfhdo |
MaiarDeFiWallet | dngmlblcodfobpdpecaadgfbcggfjfnm |
WavesKeeper | lpilbniiabackdjcionkobglmddfbcjo |
Solflare | bhhhlbepdkbapadjdnnojkbgioiodbic |
CyanoWallet | dkdedlpgdmmkkfjabffeganieamfklkm |
KHC | hcflpincpppdclinealmandijcmnkbgn |
TezBox | mnfifefkajgofkcjkemidiaecocnkjeh |
Temple | ookjlbkiijinhpmnjffcofjonbfbgaoc |
Goby | jnkelfanjkeadonecabehalmbgpfodjm |
Additionally, the stealer grabs the leveldb files and wallet folder for Jaxx, Daedalus Mainnet, Wasabi, Blockstream, Dogecoin, Binance, Ravencoin, and Ledger Live cryptowallets.
For Mozilla Firefox password decryption process, the stealer looks for files such as cookies.sqlite, formhistory.sqlite, logins.json, and places.sqlite:
If cookies.sqlite is found, the stealer then proceeds to use SQLite to extract the cookies using the query SELECT host, isHttpOnly, path, isSecure, expiry, name, and value FROM moz_cookies (moz_cookies table contains the cookie information) (Figure 22).
Then, it will proceed to look for formhistory.sqlite and if the latest was found, the stealer starts extracting the Autofill data using SQLite functions and outputs the data in a text file for exfiltration (Figure 23).
After successfully decrypting the password, Vidar stealer appends the “Soft:” (Browser name) and “Host:” (domain) fields to the text file along with extracted logins and passwords.
For logins.json, the stealer calls NSS_Init() function that initializes the NSS library and extracts the parameters such as encryptedUsername, encryptedPassword, formSubmitURL. The stealer then proceeds with decrypting the fields using the NSS library cryptography functions such as PK11SDR_Decrypt, PK11_GetInternalKeySlot and PK11_Authenticate (Figure 24).
To extract browsing history, the stealer utilizes the query SELECT url FROM moz_places (moz_tables contain the list of the URLs that the user visited). After successfully extracting the browsing data, the stealer appends them to a History.txt file (Figure 25).
It’s worth noting that prior to decrypting the browser credentials, cookies and extracting sensitive information, the stealer looks for profiles.ini file under %appdata%\mozilla\firefox\profiles\ (Mozilla Firefox), %appdata%\Moonchild Productions\Pale Moon\Profiles\ (Pale Moon), %appdata%\Thunderbird\Profiles\ (Thunderbird). The .INI file contains the information of user profiles. Vidar stealer then gets the DLL dependencies such as vcruntime140.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, and freebl3.dll (Figure 26).
Most stealers require the mentioned dependencies to function properly. You can refer to our blog on Mars Stealer to read about the DLLs mentioned. The DLL dependencies are downloaded from the C2 server within the ZIP archive, the ZIP archive name contains 19 random hexadecimal numbers and is extracted to ProgramData folder. Please note that the ZIP archive can also contain the name “update.zip” if the threat actor decides to set up and host their personal panel.
To extract FileZilla credentials, the stealer reads the recentservers.xml file on the host. The passwords are base64-encoded, so all the threat actor needs to do is to decode them to cleartext to further abuse the victims accounts. FileZilla stores credentials in two places, recentservers.xml saves the credentials that were entered via the quick connect bar, sitemanager.xml saves the credentials that were configured within the site manager. After successfully extracting the credentials, the data will be saved in the format:
Soft: FileZilla
Host:
Login:
Password:
The stealer also retrieves sensitive files from Authy Desktop (two-factor authentication application) such as .log, MAFINEST, LOG, LOCK and CURRENT files under the path AppData\Roaming\Authy Desktop\Local Storage\leveldb and copies them to the Soft\Authy Desktop folder that will be archived to be sent to the attacker. Besides Authy Desktop, the stealer also exfiltrates data from Google Authenticator browser extension, EOS Authenticator, and GAuth Authenticator (Figure 27).
Vidar will exfiltrate data from Telegram, Discord, Chrome, and Steam in the following manners:
With the version 56.1, Vidar also added data exfiltration for Signal Messenger.
As previously mentioned, Vidar Stealer has a loader module that allows a malicious actor to push additional malware on the machine. The additional malware retrieved from a C2 with the help of a loader module will be placed under ProgramData folder.
First, the stealer checks if the URL to retrieve the payload is up and running (status code 200). If the link is valid, the malware writes the secondary payload to the host and if not the stealer sleeps for 1000 milliseconds (Figure 28).
The emulation check is also present within the Vidar Stealer binary. The binary retrieves the name of the local computer and the username and if it matches “HAL9TH” or “JohnDoe” strings accordingly, the binary will exit. The mentioned values are used by Windows Defender emulator (Figure 29).
The stealer exfiltrates WinSCP credentials via looking up the Sessions value name under HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions. But first, it checks if the user is using Master Password for WinSCP, if not then it proceeds with extracting the username and encrypted password values. The decrypting function and function responsible for extracting WinSCP credentials are shown in Figure 30.
The stealer is not able to decrypt the passwords if WinSCP is protected with a master password and will then only be able to extract usernames.
Credit card information can also be extracted from browsers via SQLite functions. For example, the stealer would look for \AppData\Local\Google\Chrome\User Data\Default\Web Data path and extracts the credit card information with the query SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, then it calls the functions BCryptDecrypt and CryptUnprotectData to decrypt the data.
Besides the sensitive data exfiltration, the stealer also gathers the host information including:
The host information also contains the path where the stealer was executed, such as the OS version, computer name, username, display resolution, display language, keyboard languages, local time, time zone, hardware information, running processes and list of software installed on the host (Figure 32).
Starting from version 3.6, which was released in April 2023, Vidar users can generate builds with embedded DLL dependencies. This has increased the size of the builds to 2.9MB, but it means that the DLL dependencies no longer need to be retrieved from the C2 server. Instead, the ZIP archive containing the dependencies is already embedded within the executable.
This reduces the amount of suspicious activity on the network traffic. After extracting the DLLs, they will be placed under C:\ProgramData folder. Vidar users now also have the option to disable the self-deletion feature for the stealer after successful execution, starting from update 3.7.
With the latest build, the threat actor also switched from using XOR to using RC4 encryption with a hardcoded key in the binary.
We wrote the IDAPython string decryption script for the latest Vidar Stealer build as well as the configuration extractor script.
As mentioned before, Vidar Stealer uses HTTP/HTTPs for C2 communication. First, the infected machine receives the ZIP archive from the C2 that contains DLL dependencies. The dependencies are extracted under ProgramData folder.
The stealer configuration is also shown in the PCAP below (Figure 33). The configuration includes the grabber parameters. In our example, the stealer exfiltrates the .txt files under Documents folder and excludes ‘movies:music:mp3’. 50 (KB) is the maximum size of the file that stealer grabs.
The exfiltrated data is compressed in a ZIP archive and base64-encoded (Figure 37 in red). The POST data also contains the profile value and profile ID which are hardcoded within the binary and the token value (Figure 37).
Our Threat Response Unit (TRU) combines threat intelligence gained from research and security incidents to create practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against Vidar Stealer malware:
While the TTPs used by threat actor(s) grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must be made. Preventing the various attack technique and tactics utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detections, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
rule Vidar_DLL_embedded { meta: author = "eSentire Threat Intelligence" description = "Vidar Stealer with embedded DLL dependencies" date = "5/2/2023" strings: $s = {50 4B 03 04 14 00 00 00 08 00 24 56 25 55 2B 6D 5C 08 39 7C 05} $a1 = "https://t.me/mastersbots" $a2 = "https://steamcommunity.com/profiles/76561199501059503" $a3 = "%s\\%s\\Local Storage\\leveldb" $a4 = "\\Autofill\\%s_%s.txt" $a5 = "\\Downloads\\%s_%s.txt" $a6 = "\\CC\\%s_%s.txt" $a7 = "Exodus\\exodus.wallet" condition: $s and 5 of ($a*) }
Name | Indicators |
Vidar Stealer payload | 810aa0d8faf41720af07153258c05b77 |
C2 | 95.217.27[.]240 |
C2 | 88.198.89[.]6 |
C2 | 168.119.167[.]188 |
C2 | 78.46.160[.]87 |
Vidar Stealer payload | 783597870319e8fc1c818c5f13e28a0d |
MITRE ATT&CK Tactic |
ID |
MITRE ATT&CK Technique |
Description |
MITRE ATT&CK TacticInitial Access |
IDT1189 |
MITRE ATT&CK TechniqueDrive-by Compromise |
DescriptionVidar Stealer is delivered via malicious websites hosting the fake cracked or pirated software. |
MITRE ATT&CK TacticUser Execution |
IDT1204.002 |
MITRE ATT&CK TechniqueMalicious File |
DescriptionThe user launches the malicious file |
MITRE ATT&CK TacticVirtualization/Sandbox Evasion |
IDT1497.001 |
MITRE ATT&CK TechniqueSystem Checks |
DescriptionThe stealer performs checks on “HAL9TH” or “JohnDoe” usernames that are used by Windows Defender emulator |
MITRE ATT&CK TacticDefense Evasion |
IDT1070.004 |
MITRE ATT&CK TechniqueIndicator RemovalFile Deletion |
DescriptionVidar Stealer deletes itself from the machine after successful execution. |
MITRE ATT&CK TacticCredential Access |
IDT1555 T1555.003 |
MITRE ATT&CK TechniqueIndicator RemovalFile Deletion Credentials from Password StoresCredentials from Password Stores: Credentials from Web Browsers |
DescriptionVidar Stealer steals sensitive data from browsers including credentials, cookies and saved credit cards. It also steals SMTP, WordPress and FTP credentials. |
MITRE ATT&CK TacticDiscovery |
IDT1033 T1518 T1057 T1614.001 T1082 |
MITRE ATT&CK TechniqueSystem Owner/User Discovery Software Discovery Process Discovery System Location Discovery: System Language Discovery System Information Discovery |
DescriptionThe stealer enumerates the host for the username and hardware information, running processes and installed applications as well as keyboard and display languages. |
MITRE ATT&CK TacticCollection |
IDT1113 |
MITRE ATT&CK TechniqueScreen Capture |
DescriptionThe stealer takes the screenshot from the infected machine and sends it to the C2. |
MITRE ATT&CK TacticExfiltration |
IDT1020 |
MITRE ATT&CK TechniqueAutomated Exfiltration |
DescriptionThe stealer automatically exfiltrates the gathered files to C2, some file grabbing options can be customized by an attacker. |
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.