Fast Facts
-
Evolution of Vidar: The Vidar infostealer has enhanced its capabilities, utilizing advanced obfuscation techniques and encrypted command-and-control channels to evade detection.
-
Wide Range of Attacks: It targets users through social engineering, employing phishing tactics and malvertising to compromise systems and harvest sensitive information.
-
Defense Evasion Strategies: Vidar employs sophisticated methods to maintain stealth, including randomizing filenames, suppressing error logs, and creating scheduled tasks for persistence.
- Significant Risks and Recommendations: As a serious threat to individuals and enterprises, users should adopt layered defenses and be aware of emerging social engineering tactics to protect against Vidar.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Vidar Infostealer Back With a Vengeance’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
The long-running Vidar infostealer has evolved with new obfuscation techniques.
That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments.
Compared to previous strains, researchers said this latest iteration “exhibits heightened stealth and persistence through encrypted command-and-control (C2) channels, abuse of Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods.”
The Vidar Infostealer, Then and Now
Vidar began as a spinoff of Arkei malware before evolving into a robust platform of its own in the years since. As to why it’s maintained relevance for the entirety of its seven-plus-year history, researchers credited the malware’s ease of deployment, versatility, plug-in compatibility, and overall potency.
It spreads via social engineering, often through affiliates crafting phishing emails that aim to get targets to click a link or download an attachment containing the malicious binary. It also spreads through compromised or malicious websites as well as malvertising campaigns claiming to offer legitimate software.
“This multipronged strategy enables Vidar to reach a broad audience while frequently bypassing basic defenses by exploiting user trust and closely mimicking legitimate content,” wrote Bikash Dash and Varadharajan Krishnasamy of the Aryaka Threat Research Lab.
Defense Evasion at Every Level
On the technical end, once the user inadvertently gets infected, the chain begins with a PowerShell script that loads both the Vidar binary and other scripts that stage various components for execution. Obfuscation is baked into every part of infection, including here.
“To retrieve its payloads stealthily, the script employs a custom Download-Reliable() PowerShell function that integrates multiple evasion techniques. The malware blends stealth with persistence by disguising its traffic as ‘PowerShell’ to appear legitimate while using exponential backoff with jitter to make repeated connections less noticeable,” Dash and Krishnasamy wrote. “Errors during communication are quietly suppressed, reducing logs and avoiding attention from defenders. To guarantee reliability, it persistently retries downloads several times even in unstable environments. At the same time, it randomizes directories and filenames, ensuring each instance looks different and making signature-based detection more difficult.”
It further attempts to evade defenses by adding Windows Defender exceptions (the malware predominantly targets Windows machines) as well as a script that attempts to bypass Windows’ Antimalware Scan Interface (AMSI) function.
In one tricky move, Vidar attempts to maintain persistence by creating a scheduled task for user logon “with a hidden window and a bypassed execution policy” that activates the malware at each reboot while maintaining stealthiness. Even trickier, the malware hooks into the CryptProtectMemory API many modern browsers use to protect passwords, enabling Vidar to activate before data is encrypted.
Lastly, the command-and-control (C2) server Vidar uses for data exfiltration is TLS-encrypted.
Protect Yourself Against the Vidar Infostealer
As the Aryaka researchers explained in their report, Vidar is a highly evolved and widespread infostealer that “poses a significant risk to both individual users and enterprise environments.”
Users should familiarize themselves with emerging social engineering techniques, as Vidar affiliates typically use “carefully crafted” campaigns to spread the malware. The researchers also advised a layered defense strategy, which includes enhanced process monitoring, network anomaly detection, timely threat intelligence, and strict PowerShell execution policies. Other security capabilities like DNS filtering, email and web gateways, firewalls, and endpoint detection and response (EDR) may also prove effective.
Dark Reading contacted Vidar for additional comment.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Discover More Technology Insights
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Explore past and present digital transformations on the Internet Archive.
CyberRisk-V1
