Malware Analysis: Vidar Version 4.5

While Kroll has identified available embedded functionality in the malware, our analysis and open-source intelligence-gathering indicates the malware receives dynamic instruction (i.e., a configuration file) from its command-and-control (“C2”) domain that tells it the specific data to capture and steal. 

Kroll is aware of the following data-scraping capabilities by the Vidar family:

• Browser data, including auto-fill, cookies, credit cards, download history, and browsing history
• Two-factor authentication (“2FA”) data
• Telegram messages
• Cryptomining wallets
• A screenshot of the victim system

Vidar’s targeting of 2FA data is especially problematic as many organizations may have a false sense of security that this measure is adequately protecting their networks.

Upon execution, the malware collects system information as well as other available sensitive data. In Kroll’s dynamic analysis, the malware generates a new randomly named folder under C:\ProgramData and aggregates the following data in a file named information.txt:

• Machine ID and GUID
• Path of malware executable and its working directory – This is a newly created directory under C:\ProgramData\ +{Random String}
• Operating system
• Computer name
• Current username
• Display resolution, language, and keyboard language
• Local time and time zone
• Hardware information – Processor, CPU count, RAM, video card
• Network information – This data is queried through ip-api [.] com/line/ where geolocation data is gathered about the victim system
• List of running processes
• An incomplete list of installed software (may be searching for specific programs)

Additionally, the malware generates three additional files in this location:

• Outlook.txt – May contain available email credentials from the system
• Password.txt – May contain available browser credentials from the system
• A ZIP file containing the collected data; this file is exfiltrated to the C2 domain