Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Vidar Stealth. Show all posts

To Avoid Detection, Vidar Stealth Operators Use SM Platforms

 


Several days ago, the commercially available off-the-shelf malware BitRat was observed with a newly discovered distribution method for how it was spread. Now, a new information theft malware called Vidar Stealer has been discovered. This malware uses advanced techniques to exploit popular social media platforms as an intermediary server to send valuable information to the attacker. 

Using Social Media Platforms as a Means of Hiding 

Researchers from AhnLab have discovered that Vidar Stealer is constantly creating throwaway accounts on popular social media platforms, such as TikTok, Telegram, Steam, and Mastodon.  
  • To commit attacks, attackers create their own social media profiles and add identifying characters, along with their C2 address, to the profile. 
  • In addition to its advantages, such traffic can be very challenging to identify and block using trivial security strategies since such traffic is difficult to detect and block. 
  • If the C2 server becomes unavailable or is blocked, attackers can set up an account and edit the account pages from this newly created server. Through this protocol, previously distributed malware can be contacted by the server.  
An In-Depth Look  

The experts discovered that an attacker had taken control of an account on the Ultimate Guitar platform and described how it was operating.  
  • The malware attacks infected systems by decrypting strings and passing garbage codes as arguments used to modify strings by executing string-modifying instructions. 
  • The malware checks the name and username of the computer to determine if it is a Windows Defender emulator. Once detected, the malware automatically ceases to function, and the computer shuts down. 
  • As a next step, a malware file connects to the threat actor's account page to grab the C2 address that is hard-coded inside the binary so the malware can download further information. 
  • This malware variant provides the ability to collect data and compress it into a ZIP file. It does this by encoding it in Base64 before it is transmitted to the C2 server using the latest encryption method. 
Compared to Previous Strategies 

Vidar Stealer is a malware infection that was first identified in 2018. According to researchers, it uses various delivery mechanisms for spreading, including phishing emails and cracked software. 
  • As part of the existing malware variants, data was collected and sent in the format of compressed files containing plaintext data. 
  • A variety of methods have been used in recent campaigns to distribute this malware, including malicious Google Ads, as well as a malware loader called Bumblebee. This malware loader automates the distribution of malware. 
  • Further, experts discovered another piece of malware that was installed on a computer when the victim clicked an ad in a Google search result for the GIMP open-source image editor. This ad led the victim to a typo-squatted domain that contained malware.  
As a result, malware like Vidar Stealer, which uses platforms like Google Chrome and Microsoft Exchange as the intermediate C2, has a longer lifespan. In the opinion of experts, this malware is just one of many that constantly update its delivery methods. This is probably a result of Microsoft's decision to block macros by default in Office files to prevent automated attack attacks.  

Due to this, it is expected that malware will follow this path more often in the future.