Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

Cyber Security Threat Summary:
“The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. ‘Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,’ cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts. Vidar has also been observed to be distributed via rogue Google Ads and a malware loader dubbed Bumblebee” (The Hacker News, 2023).

Security Officer Comments:
According to researchers at Team Cymru, operators behind Vidar have utilized the domain my-odin[.]com since August as a primary location to manage their operation, including affiliate authentication, file sharing, and panel administration. Furthermore, it was previously possible to download files without authentication from this site, including the bash scripts used to deploy the malware. As such this would make it possible to monitor for any malware updates. However, Vidar operators have now made changes where users are now redirected to the Vidar affiliate login page, upon an unauthenticated attempt to download files. The actors have also updated the IP address for this site three times with the latest IP address being 5[.]252[.]176[.]49. According to Team Cymru, the IP address is now being managed via Remote Desktop Protocol, whereas previously the server was accessed directly.

"By using VPN infrastructure, which in at least part was also utilized by numerous other benign users, it is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise,” noted researchers in a blog post.

Suggested Correction(s):
With actors leveraging phishing and cracked software to distribute Vidar malware, users should be careful not to click on links or attachments that come in emails from unknown senders and avoid downloading software from third-party sites.