Vidar Stealer Malware

Executive Summary

• First Identified: November 2018
• Threat Type:
  • Malware
• Select Targeted Industries:
  • Healthcare
  • Technology
  • Government
• Select Targeted Victim HQ Locations:
  • North America
  • Europe
  • NOT CIS countries
• Select Known Associations:
  • Arkei Malware
  • Scattered Spider
  • Cyclops/Knight Ransomware
  • Hive Ransomware
  • XMRig Miner
• Select MITRE ATT&CK Mappings
  • Initial Access
    • Drive-by compromise, social engineering (MITRE ATT&CK: T1189, T1566)
  • Persistence
    • Scheduled tasks (MITRE ATT&CK: T1053)

Latest Public Blackpoint Incident Analysis of Vidar Stealer Malware

• February 22, 2024, with Undisclosed partner
  • This Week in Review: ScreenConnect “Updates,” Vidar Malware, & Malicious ZIP Files

Description of Vidar Stealer Malware

Vidar Stealer is a malware that has been active since November 2018 and is used to steal personal information from compromised machines. The malware is sold as a Malware-as-a-Service (MaaS) from the developer’s website. The price ranges from $130 to $750 depending on the model. The malware is often advertised on hacking forums and Telegram groups.

Vidar Stealer is often deployed via social engineering attacks – phishing emails with malicious attachments and links – and drive-by downloads. Vidar Stealer has also been observed using malicious Google ads to spread the malware variant. Vidar Stealer has been observed impersonating legitimate software such as Advanced IP Scanner, Adobe Photoshop, Microsoft Teams, and Adobe Illustrator.

Vidar Stealer has been previously assessed to be a variant of the Arkei malware family; however, an interview with purported Vidar Stealer staff indicated that source code was purchased from the Arkei developer but is a completely separate operation.

The name Vidar is likely in relation to the god Vidar. Vidar is the god of vengeance, silence, and resilience. Vidar is the son of Odin, the chief of the Aesir gods, and the giantess Gríðr. Additionally, text on the Vidar developer’s site supports this with the “Hail to the Silent One! Hail to Leathershod! Hail to the Wolf Ripper! Hail to the Far-Seer!” text visible on the home page.

Vidar Stealer is written in C++ programming language. Vidar Stealer samples have been observed including a row of null bytes at the beginning of the file in order to bloat its size up to nearly 700MB. The size limits of anti-malware software, which results in the file often being skipped. Researchers have reported that this method has only been observed when the malware is delivered via an archive – either via search result malvertising campaign or emails with archive attachments.

Vidar Stealer uses social media as its C2, including Telegram, Mastadon, Steam, Twitter, and TikTok. The first contact with the C2 includes only a bot ID. The server then returns with a configuration package that contains guidance upon behavior, and the DLL the malware needs to run. The body of the C2 response contains a specification that points at the features to be used; a sequence of 0 and 1 corresponds to the “modules” that will be used. Security researchers with GridinSoft identified the following module functionalities:

• Grabbing AutoFill data, cookies and credit card information;
• Collecting history of web views and downloads;
• Stealing cryptocurrency wallet addresses;
• Hijacking messages history from Telegram;
• Taking screenshots; and
• Stealing specific files.