Keypoints
- Information stealers are used to harvest credentials and other sensitive data, which can be sold or used in follow-up attacks.
- Kaspersky telemetry indicates almost 10 million personal and corporate devices were attacked by stealers in 2023.
- The Kral stealer is deployed via a Kral downloader delivered through malicious ads on adult websites and targets browser data and cryptocurrency wallets.
- AMOS targets macOS users by impersonating the Homebrew package manager and uses deceptive dialog boxes to capture user passwords.
- Vidar is distributed through YouTube comments linking to password-protected archives; it leverages DLL hijacking to load payloads and ultimately downloads the ACR stealer for exfiltration.
- Attackers use techniques such as signed binaries, integrity checks, and the BITS COM interface to exfiltrate data, and some malware families share code and build artifacts.
- Simple defenses—2FA, unique passwords, and verifying official download sources—are recommended to mitigate stealer threats.
MITRE Techniques
- [T1003] Credential Dumping – Extraction of account login and password information as described by the article: [‘Techniques for extracting account login and password information.’]
- [T1213] Data from Information Repositories – Accessing stored data to collect sensitive information, referenced as: [‘Accessing data stored in repositories to collect sensitive information.’]
- [T1203] Exploitation for Client Execution – Exploiting client-side vulnerabilities to run malicious code, noted in the article as: [‘Exploiting vulnerabilities in client applications to execute malicious code.’]
- [T1071] Command and Control – Using application-layer protocols to communicate with compromised systems, quoted description: [‘Using application layer protocols to communicate with compromised systems.’]
Indicators of Compromise
- [File hashes] Malware sample hashes from the report – 02c168aebb26daafe43a0cccd85397b2, 039bebb6ccc2c447c879eb71cd7a5ba8, and 4 more hashes
- [File hashes] AMOS-related hashes – ec7f737de77d8aa8eece7e355e4f49b9, dd2832f4bf8f9c429f23ebb35195c791
- [File names] Files seen in Vidar/ACR archives – converter.exe, vcomp100.dll, and other names like bake.docx and blindworm.avi
- [Archive types / distribution] Password-protected ZIP/RAR archives and nested archives used in YouTube-comment campaigns – password provided on the same page as the archive
- [Sample hashes] Vidar sample hash listed – 6f9d3babdeea3275489589ee69bc3f31
Information-stealer malware remains a prolific and profitable tool for cybercriminals. Many of these families are offered via subscription-like crimeware services, lowering the barrier to entry for less experienced attackers. Kaspersky Digital Footprint Intelligence observed nearly ten million infected personal and corporate devices in 2023 alone, and that total could be higher because operators don’t always publish their full logs after harvesting data.
One family examined, Kral, evolved from a downloader observed in mid-2023 into a full stealer. The Kral downloader typically arrives when users visit adult websites that host malicious ads; those ads redirect victims to phishing pages offering a download that contains the downloader. Early samples combined C++ and Delphi, producing larger binaries, but recent versions are written only in C++, reducing payload size by an order of magnitude. The Kral stealer and its downloader share code markers—both are signed, use WinVerifyTrust() for binary integrity verification, share the same string-encryption key, and even reference “Kral” in PDB paths. Functionally, the stealer focuses on browser data and cryptocurrency wallets: it creates a randomized folder under C:ProgramData to collect system and credential data, zips the folder, and sends it to the command-and-control server using the BITS COM interface. Each execution steals data once, but subsequent runs will repeat the process.
AMOS is a macOS-focused stealer first identified in early 2023 and resurfacing in mid-2024 via a domain that impersonated the Homebrew package manager. Victims reached the fake site through malvertising and were offered two installation routes: downloading an infected DMG or running an installation script. The script downloads and mounts the malicious image and then installs the legitimate Homebrew package, while the DMG layout tricks users into believing they launched the real Homebrew app. When executed, AMOS spawns multiple Terminal and bash processes to collect system information and create hidden session-history files. Instead of keylogging, AMOS uses deceptive dialog boxes to prompt users for their macOS passwords, a social-engineering method for credential theft.
Vidar’s distribution relies on social engineering via YouTube comments that link to password-protected archives stored on rotating file-sharing platforms. The archive structure is layered: a legitimate converter.exe (ImageMagick) is paired with a malicious vcomp100.dll to enable DLL hijacking, while bake.docx contains an encrypted first-stage loader and blindworm.avi hides an IDAT loader payload. The legitimate executable loads the malicious DLL, which extracts and decodes the embedded payload—typically a Penguish downloader that contains an IDAT-packed sample. Using IDAT loader extraction tools reveals the final payload: the Vidar stealer. In the incidents observed, Vidar does not simply exfiltrate data itself; it downloads the ACR stealer, which then harvests browser data and cryptocurrency wallets. Telemetry indicates a significant portion of victims are located in Brazil.
The widespread availability and ease of use for these stealers make them a persistent threat. Stolen credentials and wallet data can be monetized directly on underground markets or used by attackers to gain deeper access to corporate networks, potentially enabling ransomware or other destructive operations. Basic preventive measures—enabling two-factor authentication, using unique passwords, downloading software only from official sources, and carefully verifying sites before installing software—can materially reduce the risk posed by these threats. For organizations or individuals seeking more detailed TTP tracking or information from private reports, the article provides a contact point for Kaspersky’s crimeware intelligence team.
Read more: https://securelist.com/kral-amos-vidar-acr-stealers/114237/