Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

Trend Research analyzes Vidar Stealer v2.0, a full rewrite in C that adds multithreaded data theft, advanced anti-analysis and AppBound bypass techniques, and an automatic polymorphic builder, enabling faster and more evasive credential and wallet exfiltration. The release aligns with declining Lumma Stealer activity and a spike in Vidar adoption, suggesting threat actors may migrate to Vidar and StealC; #Vidar #LummaStealer

Keypoints

Vidar 2.0 is a complete rewrite from C++ to C, claimed to improve stability and speed.
Multithreaded architecture enables parallelized data collection that scales with CPU cores and memory.
Advanced browser credential extraction includes memory injection to bypass Chrome AppBound protections and uses named pipes for inter-process communication.
An automatic polymorphic builder generates unique binaries and control-flow flattening obfuscation to hinder static detection and reverse engineering.
Targets a wide range of data: browser credentials, crypto wallets, cloud credentials, FTP/SSH files, gaming/social platform data, and screenshots.
Exfiltration uses HTTP multipart form submissions to a round-robin C2 infrastructure including Telegram bots and Steam profiles, followed by cleanup and self-deletion.
Release timing correlates with Lumma Stealer decline and a measurable spike in Vidar activity, indicating likely increased adoption by underground actors.

MITRE Techniques

[T1622 ] Debugger Evasion – Vidar performs debugger detection as part of extensive anti-analysis checks: ‘debugger detection’.
[T1497.001 ] Virtualization/Sandbox Evasion – The malware uses timing verification, system uptime validation, and hardware profiling to avoid execution in analysis environments: ‘timing verification, system uptime validation, and hardware profiling’.
[T1027 ] Obfuscated Files or Information – Uses control flow flattening and numeric state machines to obscure program logic and hinder analysis: ‘heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines’.
[T1055.001 ] Process Injection: Dynamic-link Library Injection – Vidar injects malicious code into running browser processes using reflective DLL or shellcode injection to extract encryption keys from memory: ‘injects malicious code directly into running browser processes using either shellcode or reflective DLL injection’.
[T1055.002 ] Process Injection: Portable Executable Injection – The malware performs injections into active processes to steal keys from memory rather than from storage: ‘injects malicious code directly into running browser processes … The injected payload extracts encryption keys directly from browser memory’.
[T1082 ] System Information Discovery – Conducts system profiling and hardware enumeration to adapt thread count and behavior: ‘system profiling to collect victim information’ and ‘Thread count is dynamically calculated based on CPU Core count and available physical memory’.
[T1083 ] File and Directory Discovery – The file grabber searches user directories and removable drives for valuable files and wallets: ‘systematically searches for valuable files across user directories and removable drives’.
[T1087.001 ] Account Discovery: Local Account – Performs account and environment discovery as part of initialization and profiling (enumeration of local accounts implied in discovery steps): ‘system profiling to collect victim information’.
[T1518.001 ] Software Discovery: Security Software Discovery – Conducts security software checks during initialization to decide whether to proceed: ‘anti-analysis checks including … security checks’ (implied in evasion checks and software profiling).
[T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Extracts browser credentials from storage and memory across Chrome, Firefox, Edge and other browsers: ‘comprehensive browser credential extraction capabilities targeting both traditional browser storage methods and Chrome’s latest security protections’.
[T1555 ] Credentials from Password Stores – Uses DPAPI decryption of Local State files and memory theft to obtain stored credentials: ‘attempts to extract encryption keys from Local State files using standard DPAPI decryption’.
[T1552.001 ] Unsecured Credentials: Credentials In Files – Searches for credential files and configuration files such as FileZilla recentservers.xml and WinSCP sessions: ‘AppDataRoamingFileZillarecentservers.xml’ and ‘SoftwareMartin PrikrylWinSCP 2Sessions’.
[T1528 ] Steal Application Access Token – Targets cloud and application tokens such as msal.cache and IdentityService tokens to harvest access tokens: ‘.IdentityService – Azure identity tokens’ and ‘msal.cache – Microsoft Authentication Library cache’.
[T1005 ] Data from Local System – Collects files and databases (browser storage, wallet files, documents) from the local system and removable media: ‘file grabber component systematically searches for valuable files across user directories and removable drives’.
[T1113 ] Screen Capture – Captures screenshots for additional intelligence prior to exfiltration: ‘screenshot capture for additional intelligence value’.
[T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltrates data via HTTP multipart form submissions to C2 infrastructure: ‘data packaging and exfiltration through HTTP multipart form submissions’.
[T1102.001 ] Web Service: Dead Drop Resolver – Uses web services like Telegram bots and Steam profiles as communication channels for C2 and data transfer: ’round-robin command-and-control (C&C) infrastructure that includes Telegram bots and Steam profiles as communication channels’.
[T1573 ] Encrypted Channel – Employs encrypted channels and authenticated tokens for communication and victim tracking (C2 authentication tokens and build identifiers): ‘uses specific authentication tokens and build identifiers for tracking and victim management’.
[T1041 ] Exfiltration Over C2 Channel – Sends stolen data to command-and-control infrastructure over application-layer channels: ‘Exfiltration through HTTP multipart form submissions to a round-robin command-and-control infrastructure’.
[T1020 ] Automated Exfiltration – Uses automated routines to package and exfiltrate data, categorizing stolen data and using different operation modes: ‘The malware employs different operation modes to categorize stolen data’ and ‘streamlined exfiltration routines’.

Indicators of Compromise

[File names ] targeted data and artifacts – examples: Local State (browser key store), login Data (Chrome/Edge passwords), logins.json (Firefox passwords).
[File paths ] credentials and config locations – examples: %AppData%RoamingFileZillarecentservers.xml, %UserProfile%.aws (AWS CLI credentials).
[Artifacts ] browser and wallet stores – examples: key4.db (Firefox master key), 0.indexeddb.leveldb (wallet storage), and other wallet extension IndexedDB files.
[Communication channels ] C2 mechanisms – examples: Telegram bots, Steam profiles used as command-and-control channels.
[Obfuscation/behavioral ] binary characteristics – examples: unique polymorphic builds (automatic morpher) and heavy control-flow flattening observed in samples.
[Operational indicators ] runtime behaviors – examples: multithreaded worker creation based on CPU/core count and named pipes usage for IPC when exfiltrating keys from browser memory.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print