CYFIRMA’s in-depth analysis identifies Vidar Stealer as a modular information-stealer sold as malware-as-a-service that uses obfuscation, environment checks, and process injection to evade analysis, while leveraging social media as part of its C2 and update infrastructure. It targets a broad set of data (browser, wallets, files, Telegram/Steam data) and exfiltrates via TLS to C2 servers, often deleting traces afterward. #VidarStealer #Sultan #STOPDjvu #SmokeLoader #RedLine #LaplasClipper #Lumma #RaccoonStealer #Telegram #Steam
Keypoints
- Vidar Stealer is an information-stealing malware sold as malware-as-a-service on the dark web and underground forums.
- It targets a wide range of data, including browser data, cryptocurrency wallets, financial data, and system directories.
- The malware uses obfuscation and checks for debugger/analysis tools to evade detection, with no persistence observed.
- It injects into legitimate Windows processes (e.g., RegAsm.exe) to execute its payload.
- Social media platforms (Telegram and Steam) are used to obtain C2 details and to promote/update the malware.
- Vidar downloads additional binaries (e.g., sqlx[1].dll) to support data harvesting and exfiltration.
- All network traffic occurs over TLS 1.2, with self-signed certificate checks used to detect interception, and data is exfiltrated to C2 servers before being deleted locally.
MITRE Techniques
- [T1592] Gather Victim Host Information – The malware uses API calls to retrieve environment details. Quote: “GetEnvironmentStrings and GetModuleHandleExW to retrieve environment details.”
- [T1204.002] Malicious File – The sample is delivered as a malicious file (installer.exe). Quote: “File Name: installer.exe.”
- [T1055] Process Injection – It writes the virtual memory of the suspended process RegAsm.exe for execution. Quote: “injects the code into RegAsm.exe”
- [T1622] Debugger Evasion – The malware checks for a debugger or analysis environment and terminates if detected. Quote: “detect debugger/analysis environment”
- [T1497] Virtualization/Sandbox Evasion – It performs checks aimed at evading virtualized or sandboxed analysis. Quote: “Virtualization/Sandbox Evasion.”
- [T1140] Deobfuscate/Decode Files or Information – The content of the .data section is decoded with XOR operations. Quote: “decode the content of the .data section using bitwise XOR operations.”
- [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to a C2 server via a secure channel. Quote: “exfiltrates all the collected data to the C2 server.”
Indicators of Compromise
- [File] installer.exe – 7e74918f0790056546b862fa3e114c2a, fed19121e9d547d9762e7aa6dd53e0756c414bd0a0650e38d6b0c01b000ad2fc
- [File] sqlx[1].dll – 90e744829865d57082a7f452edc90de5, 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
- [URL] https://steamcommunity.com/profiles/76561199686524322 – C2
- [URL] https://t.me/k0mono – C2
- [IP Address] 65.108.55.55 – C2
- [IP Address] 91.107.221.88 – C2
- [Directory] C:ProgramDataHJJDGHCBGDHI – data collection/exfiltration staging