Threat Research

Vidar Stealer: Revealing A New Deception Strategy

GDataSecurity
Vidar Stealer: Revealing A New Deception Strategy

Vidar Stealer is a potent malware that has evolved over the years since its inception in 2018, targeting multiple platforms, especially the gaming sector. Recently, it was distributed through a game on Steam, exploiting the trust associated with popular software. Notably, the use of a legitimate tool, BGInfo, to cloak malicious activities represents a significant shift in attack strategies, emphasizing the need for vigilance in monitoring software integrity. Affected: gaming platforms, cybersecurity

Keypoints :

  • Vidar Stealer has been employed by cybercriminals since 2018 for data harvesting.
  • The malware’s distribution methods have evolved, including use in malicious email attachments and malvertising.
  • Recently disguised within the PirateFi game on Steam, posing threats to unsuspecting players.
  • Low detection rates on VirusTotal indicate potential new variants or obfuscation techniques used by attackers.
  • Manipulated versions of legitimate software, such as BGInfo, are used to evade security systems.
  • Threat actors often exploit software updates to introduce malicious versions.
  • Key capabilities include credential theft, cryptocurrency wallet theft, session hijacking and extraction of cloud storage data.
  • Regular monitoring for indicators of compromise is crucial for identifying malware threats.

MITRE Techniques :

  • Masquerading: Invalid Code Signature (T1036.001) – Utilizing expired signatures to masquerade as legitimate files.
  • Masquerading: Match Legitimate Name or Location (T1036.005) – Disguising malware with names of trusted software.
  • Obfuscated Files or Information: Binary Padding (T1027.001) – Increasing file size to include hidden code.
  • Data from Local System (T1005) – Extracting system configuration and credentials from local resources.
  • Unsecured Credentials: Credentials In Files (T1552.001) – Targeting stored credentials in user files.
  • Credentials from Password Stores: Credentials from Web Browsers (T1555.003) – Accessing stored browser credentials.
  • Web Protocols (T1071.001) – Utilizing web protocols for command and control communications.
  • Exfiltration Over C2 Channel (T1041) – Transmitting stolen data back to attackers through the command and control infrastructure.
  • Process Injection: Thread Execution Hijacking (T1055.003) – Modifying legitimate processes to execute malicious code covertly.

Indicator of Compromise :

  • [File Hash] 7f59c7261ce53d72cafcba86c3a423f06922f1edb47b419b96d2944af3e7859d

Full Story: https://www.gdatasoftware.com/blog/2025/04/38169-vidar-stealer