Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Vidar Infostealer Campaign Hidden in Help File

Researchers discovered an email malware campaign in February 2022 that demonstrates the complexity attackers are introducing to the delivery mechanism in order to avoid detection. The new campaign delivers an old but frequently updated infostealer: Vidar.

Researchers discovered an email malware campaign in February 2022 that demonstrates the complexity attackers are introducing to the delivery mechanism in order to avoid detection. The new campaign delivers an old but frequently updated infostealer: Vidar.

The initial approach is standard – an email with a malicious attachment. The attachment, ‘request.doc’, is a disguised ISO file. If the target can be persuaded to click on request.doc, two files are exposed: a CHM file (Microsoft’s stand-alone help file format), and ‘app.exe’.

app.exe launches the Vidar malware. Most users today could be trusted not to open a strange .exe delivered to them by email. But this isn’t necessary for the attacker. CHM files are generally more recognized and trusted by users. If this is opened, an apparently innocuous content is exposed. However, say the Trustwave researchers in an associated blog, “This HTML has a button object which automatically triggers the silent re-execution of the CHM “pss10r.chm” with mshta.”

When it is re-executed, JavaScript included within the file automatically executes the app.exe file, and the initial stage of Vidar is loaded. The final launcher is hidden in the Help file. 

“We’re seeing that attackers are really trying to nest their attacks in multiple layers to prevent detection,” Karl Sigler, the manager of Trustwave’s SpiderLabs threat intelligence, told SecurityWeek. “By having control go from ISO to CHM to HTML to JavaScript and only then to the executable, a lot of anti-malware security protections, spam filters, email gateways, and so on may miss the attack because it is nested so deep.”

In this campaign the malware (Vidar 50.3) retrieves its C&C server from the open-source social networking platform Mastodon; that is, from a specific ‘user’s’ (@kill5max) bio section. If the C&C link is discovered, the account can be simply closed, and the details moved to a different account for future compromises. 

Vidar downloads its dependencies from the C&C server and saves them at C:ProgramData; and then retrieves its configuration setting. It is also able to download additional malware. Although nothing was detected in this campaign, Vidar has been used in the past to download additional ransomware. 

It will not run if a selection of sandbox, anti-malware or email scanner DLLs are present on the victim computer. But when it runs, it harvests system data and data from a wide range of browsers and other applications. The data is saved at C:ProgramData<rqndom> and subsequently archived to C:ProgramData<random><machine GUID>.zip before being sent to a separate server under control of the attacker.

Advertisement. Scroll to continue reading.

Infostealers are notoriously fast in operation. They come in, steal data and leave. Not uncommon among infostealers, the final action of the Vidar malware is to remove evidence of its presence. “Lastly,” write the researchers, “the files created by this threat are deleted, as well as all the DLL files in %programdata%.” The command used is:

C:WindowsSystem32cmd.exe /c taskkill /im <Vidar executable> /f & timeout /t 6 & del /f /q ” <Vidar filepath>” & del C:ProgramData*.dll & exit

The campaign is typified by the extent to which the attacker attempts to hide both the attack and his/her own identity. Vidar is readily available on the dark web and is not associated with any group or affiliate. It is configured not to run if it is likely to be detected. And it removes all traces of itself on completion.

Such malware is frequently updated to defeat signature scanning anti-malware products. Even if a scan is run today that would detect it, it doesn’t mean that your information wasn’t stolen yesterday. There is no immediate trace of the malware, the compromise, or the identity of the attacker.

Related: New Legion Loader Delivers a Variety of Malware

Related: Microsoft Warns of New ‘Anubis’ Info-Stealer Distributed in the Wild

Related: Raccoon Malware-as-a-Service Gains Momentum

Related: Baldr Malware: A Short-Lived Star or Info Stealer That Will Return?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...