Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

New Vidar Infostealer Campaign Hidden in Help File

Researchers discovered an email malware campaign in February 2022 that demonstrates the complexity attackers are introducing to the delivery mechanism in order to avoid detection. The new campaign delivers an old but frequently updated infostealer: Vidar.

Researchers discovered an email malware campaign in February 2022 that demonstrates the complexity attackers are introducing to the delivery mechanism in order to avoid detection. The new campaign delivers an old but frequently updated infostealer: Vidar.

The initial approach is standard – an email with a malicious attachment. The attachment, ‘request.doc’, is a disguised ISO file. If the target can be persuaded to click on request.doc, two files are exposed: a CHM file (Microsoft’s stand-alone help file format), and ‘app.exe’.

app.exe launches the Vidar malware. Most users today could be trusted not to open a strange .exe delivered to them by email. But this isn’t necessary for the attacker. CHM files are generally more recognized and trusted by users. If this is opened, an apparently innocuous content is exposed. However, say the Trustwave researchers in an associated blog, “This HTML has a button object which automatically triggers the silent re-execution of the CHM “pss10r.chm” with mshta.”

When it is re-executed, JavaScript included within the file automatically executes the app.exe file, and the initial stage of Vidar is loaded. The final launcher is hidden in the Help file. 

“We’re seeing that attackers are really trying to nest their attacks in multiple layers to prevent detection,” Karl Sigler, the manager of Trustwave’s SpiderLabs threat intelligence, told SecurityWeek. “By having control go from ISO to CHM to HTML to JavaScript and only then to the executable, a lot of anti-malware security protections, spam filters, email gateways, and so on may miss the attack because it is nested so deep.”

In this campaign the malware (Vidar 50.3) retrieves its C&C server from the open-source social networking platform Mastodon; that is, from a specific ‘user’s’ (@kill5max) bio section. If the C&C link is discovered, the account can be simply closed, and the details moved to a different account for future compromises. 

Vidar downloads its dependencies from the C&C server and saves them at C:ProgramData; and then retrieves its configuration setting. It is also able to download additional malware. Although nothing was detected in this campaign, Vidar has been used in the past to download additional ransomware. 

It will not run if a selection of sandbox, anti-malware or email scanner DLLs are present on the victim computer. But when it runs, it harvests system data and data from a wide range of browsers and other applications. The data is saved at C:ProgramData<rqndom> and subsequently archived to C:ProgramData<random><machine GUID>.zip before being sent to a separate server under control of the attacker.

Infostealers are notoriously fast in operation. They come in, steal data and leave. Not uncommon among infostealers, the final action of the Vidar malware is to remove evidence of its presence. “Lastly,” write the researchers, “the files created by this threat are deleted, as well as all the DLL files in %programdata%.” The command used is:

C:WindowsSystem32cmd.exe /c taskkill /im <Vidar executable> /f & timeout /t 6 & del /f /q ” <Vidar filepath>” & del C:ProgramData*.dll & exit

The campaign is typified by the extent to which the attacker attempts to hide both the attack and his/her own identity. Vidar is readily available on the dark web and is not associated with any group or affiliate. It is configured not to run if it is likely to be detected. And it removes all traces of itself on completion.

Such malware is frequently updated to defeat signature scanning anti-malware products. Even if a scan is run today that would detect it, it doesn’t mean that your information wasn’t stolen yesterday. There is no immediate trace of the malware, the compromise, or the identity of the attacker.

Related: New Legion Loader Delivers a Variety of Malware

Related: Microsoft Warns of New ‘Anubis’ Info-Stealer Distributed in the Wild

Related: Raccoon Malware-as-a-Service Gains Momentum

Related: Baldr Malware: A Short-Lived Star or Info Stealer That Will Return?

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.