Jan 05, 2023Ravie Lakshmanan
The notorious information-stealer known as
Vidar is continuing to leverage popular social
media services such as TikTok, Telegram, Steam, and Mastodon as an
intermediate command-and-control (C2) server.
“When a user creates an account on an online platform, a unique
account page that can be accessed by anyone is generated,” AhnLab
Security Emergency Response Center (ASEC) disclosed in a technical
analysis published[1]
late last month. “Threat actors write identifying characters and
the C2 address in parts of this page.”
In other words, the technique relies on actor-controlled
throwaway accounts created on social media to retrieve the C2
address.
An advantage to this approach is that should the C2 server be
taken down or blocked, the adversary can trivially get around the
restrictions by setting up a new server and editing the account
pages to allow the previously distributed malware to communicate
with the server.
Vidar, first identified in 2018, is a commercial[2]
off-the-shelf[3]
malware[4]
that’s capable of harvesting a wide range of information from
compromised hosts. It typically relies on delivery mechanisms like
phishing emails and cracked software for propagation.
“After information collection is complete, the extorted
information is compressed into a ZIP file, encoded in Base64, and
transmitted to the C2 server,” ASEC researchers said.
What’s new in the latest version of the malware (version 56.1)
is that the gathered data is encoded prior to exfiltration, a
change from the previous variants that have been known to send the
compressed file data in plaintext format.
“As Vidar uses famous platforms as the intermediary C2, it has a
long lifespan,” the researchers said. “A threat actor’s account
created six months ago is still being maintained and continuously
updated.”
The development comes amid recent findings that the malware is
being distributed using a variety of methods, including malicious
Google Ads[5]
and a malware loader[6]
dubbed Bumblebee[7], the latter of which is
attributed to a threat actor tracked as Exotic Lily and Projector Libra[8].
Risk consulting firm Kroll, in an analysis[9]
published last month, said it discovered an ad for the GIMP open
source image editor that, when clicked from the Google search
result, redirected the victim to a typosquatted domain hosting the
Vidar malware.
If anything, the evolution of malware delivery methods in the
threat landscape is in part a response to Microsoft’s decision to
block macros by default in Office files downloaded from the
internet since July 2022.
This has led to an increase in the abuse of alternative[10] file[11] formats[12] like ISO, VHD, SVG, and
XLL in email attachments to bypass Mark of the Web (MotW)
protections and evade anti-malware scanning measures.
“Disk image files can bypass the MotW feature because when the
files inside them are extracted or mounted, MotW is not inherited
to the files,” ASEC researchers said[13], detailing a Qakbot
campaign that leverages a combination of HTML smuggling and VHD
file to launch the malware.
Found this article interesting? Follow us on Twitter [14] and LinkedIn[15] to read more exclusive
content we post.
References
- ^
published
(asec.ahnlab.com) - ^
commercial
(blog.cyble.com) - ^
off-the-shelf
(asec.ahnlab.com) - ^
malware
(www.trustwave.com) - ^
Google
Ads (thehackernews.com) - ^
malware
loader (thehackernews.com) - ^
Bumblebee
(research.checkpoint.com) - ^
Projector Libra
(unit42.paloaltonetworks.com) - ^
analysis
(www.kroll.com) - ^
alternative
(thehackernews.com) - ^
file
(thehackernews.com) - ^
formats
(thehackernews.com) - ^
said
(asec.ahnlab.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/the-evolving-tactics-of-vidar-stealer.html