The Vidar stealer has reappeared in a new campaign that uses Mastodon’s social media network to obtain C2 settings without raising warnings. It has been active since at least October 2018 and used in various attacks.
It has widespread use because it stays efficient at its function and is also inexpensive to buy on Telegram channels and underground sites, where it can be purchased for as low as $150.
Vidar attempts to steal the following information from compromised devices:
- Passwords, cookies, history, and credit card information stored in popular browsers
- Files stored according to the TA’s regex strings
- Cryptocurrency wallets
- Credentials for Telegram on Windows
- Information about the mailing app
- Information about the file transfer application (WINSCP, FTP, FileZilla)
Vidar’s usage of Mastodon, a prominent open-source social media network, to acquire dynamic configuration and C2 connection is what makes this campaign unique.
The threat actors create Mastodon accounts and then put the IP of the stealer’s C2 to their profile’s description area.
The goal is to encrypt communications from the hacked computer to the configuration source, and because Mastodon is a trusted platform, there should be no security concerns. Moreover, Mastodon is mainly unmoderated, making it unlikely to discover, report, and remove these malicious profiles.
Cyberint researchers discovered this campaign. According to them, each C2 they examined had between 500 and 1,500 separate campaign IDs, indicating the breadth of Vidar’s deployment.
Following the execution, a POST request for configuration is issued. Vidar then uses a series of GET requests to get its six DLL dependencies from the C2 server. These are genuine third-party DLLs for networking, MS Visual Studio runtime, and other purposes.
Vidar collects data such as email credentials, chat account details, web-browsing cookies, and more using these DLLs. It compresses everything into a ZIP archive and then sends the package to the attackers through HTTP POST.
Vidar then terminates its process and deletes the DLLs and primary executables in an attempt to erase any traces of its existence on the victim’s computer. The longer it takes for the victim to discover their credentials have been taken, the more possibilities the actors will have to exploit them.
Consider the typical distribution pathways to prevent having to cope with a severe Vidar infection. They are often unsolicited emails that make exaggerated promises regarding upcoming purchases, payments, and shipment delivery.
Direct messages with major social media networks, or even tainted game cracks obtained via torrent, are alternative distribution methods.
Image: Mastodon