Threat Research

Vidar Malware Launcher Concealed in Help File | Trustwave

Securonix

Phishing email delivers an ISO attached as request.doc that unpacks a CHM loader and Vidar payload. Vidar collects system and browser data, downloads dependencies from Mastodon-based C2, and can fetch additional malware from the same infrastructure. #Vidar #CHMLoader #mshta #Mastodon #request.doc #pss10r.chm

Keypoints

  • The campaign uses a malicious ISO attached to a phishing email to deliver Vidar via a CHM loader and a bundled executable (app.exe).
  • The CHM loader uses Windows Help Viewer (hh.exe) and unpacks a CHM that contains a HTA with JavaScript that silently runs the payload (app.exe).
  • Vidar is an information stealer that harvests system information and data from browsers and other applications.
  • Vidar downloads dependencies from the C2 and stores data in C:ProgramData, then archives and exfiltrates to its C2, which is hosted on Mastodon.
  • Vidar’s C2 infrastructure is retrieved from Mastodon profiles (e.g., mastodon.social and noc.social).
  • Cleanup routines remove created files and DLLs, and the threat can download additional payloads from the C2.

MITRE Techniques

  • [T1566.001] Phishing – Attachment – The email contains only one attachment named “request.doc”, which is actually an ISO file. “…the email contains only one attachment named “request.doc”, which is actually an ISO file.”
  • [T1218.005] Mshta – Signed Binary Proxy Execution: Mshta – HTA is silently re-executed via mshta from the CHM loader. “…app.exe’ the second file inside the ISO attachment.”
  • [T1082] System Information Discovery – Vidar is described as harvesting system information and data from browsers and other applications. “capable of harvesting system information and data from a wide range of browsers and other applications in the system.”
  • [T1105] Ingress Tool Transfer – Vidar downloads its dependencies from the C&C and saves them locally. “downloads its dependencies from the C&C and saves them at C:ProgramData”
  • [T1560.001] Archive Collected Data – Data is saved under C:ProgramDatafiles and later archived to a ZIP before exfiltration. “The data it collected from the infected system are saved on C:ProgramData<random>files. Then, this is archived at C:ProgramData<random><machine GUID>.zip”
  • [T1070.004] Indicator Removal on Host – Created files and DLLs are deleted after exfiltration. “the files created by this threat are deleted, as well as all the DLL files in %programdata%.”
  • [T1102] Web Service – C2 over Mastodon, with profiles providing the C2 addresses. “the samples searched the following profiles and grab the C&C from the Bio section: mastodon.social@kill5rnax, noc.social@kill6nix”

Indicators of Compromise

  • [File Name] request.doc – attachment in email; pss10r.chm – CHM loader; PSSXMicrosoftSupportServices_HP05221271.htm – HTML content inside CHM; app.exe – Vidar payload
  • [SHA1] Hashes for artifacts – 4E5BC4B8CB05872721C1D4965C14D395ED0B3221, EFE3E712C667CE1D61C8613D03F7EAE31782BDBF
  • [IP] 95.216.181.231 – C2 server
  • [Domain] mastodon.social – C2 hosting profile; [Domain] noc.social – C2 hosting profile

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/