New Vidar Infostealer Campaign Hidden in Help File

Researchers discovered an email malware campaign in February 2022 that demonstrates the complexity attackers are introducing to the delivery mechanism in order to avoid detection. The new campaign delivers an old but frequently updated infostealer: Vidar.

The initial approach is standard – an email with a malicious attachment. The attachment, ‘request.doc’, is a disguised ISO file. If the target can be persuaded to click on request.doc, two files are exposed: a CHM file (Microsoft’s stand-alone help file format), and ‘app.exe’.

app.exe launches the Vidar malware. Most users today could be trusted not to open a strange .exe delivered to them by email. But this isn’t necessary for the attacker. CHM files are generally more recognized and trusted by users. If this is opened, an apparently innocuous content is exposed. However, say the Trustwave researchers in an associated blog, “This HTML has a button object which automatically triggers the silent re-execution of the CHM “pss10r.chm” with mshta.”

When it is re-executed, JavaScript included within the file automatically executes the app.exe file, and the initial stage of Vidar is loaded. The final launcher is hidden in the Help file. 

“We’re seeing that attackers are really trying to nest their attacks in multiple layers to prevent detection,” Karl Sigler, the manager of Trustwave’s SpiderLabs threat intelligence, told SecurityWeek. “By having control go from ISO to CHM to HTML to JavaScript and only then to the executable, a lot of anti-malware security protections, spam filters, email gateways, and so on may miss the attack because it is nested so deep.”

In this campaign the malware (Vidar 50.3) retrieves its C&C server from the open-source social networking platform Mastodon; that is, from a specific ‘user’s’ (@kill5max) bio section. If the C&C link is discovered, the account can be simply closed, and the details moved to a different account for future compromises. 

Vidar downloads its dependencies from the C&C server and saves them at C:ProgramData; and then retrieves its configuration setting. It is also able to download additional malware. Although nothing was detected in this campaign, Vidar has been used in the past to download additional ransomware. 

It will not run if a selection of sandbox, anti-malware or email scanner DLLs are present on the victim computer. But when it runs, it harvests system data and data from a wide range of browsers and other applications. The data is saved at C:ProgramData<rqndom> and subsequently archived to C:ProgramData<random><machine GUID>.zip before being sent to a separate server under control of the attacker.

Infostealers are notoriously fast in operation. They come in, steal data and leave. Not uncommon among infostealers, the final action of the Vidar malware is to remove evidence of its presence. “Lastly,” write the researchers, “the files created by this threat are deleted, as well as all the DLL files in %programdata%.” The command used is:

C:WindowsSystem32cmd.exe /c taskkill /im <Vidar executable> /f & timeout /t 6 & del /f /q ” <Vidar filepath>” & del C:ProgramData*.dll & exit

The campaign is typified by the extent to which the attacker attempts to hide both the attack and his/her own identity. Vidar is readily available on the dark web and is not associated with any group or affiliate. It is configured not to run if it is likely to be detected. And it removes all traces of itself on completion.

Such malware is frequently updated to defeat signature scanning anti-malware products. Even if a scan is run today that would detect it, it doesn’t mean that your information wasn’t stolen yesterday. There is no immediate trace of the malware, the compromise, or the identity of the attacker.

Related: New Legion Loader Delivers a Variety of Malware

Related: Microsoft Warns of New ‘Anubis’ Info-Stealer Distributed in the Wild

Related: Raccoon Malware-as-a-Service Gains Momentum

Related: Baldr Malware: A Short-Lived Star or Info Stealer That Will Return?