Vidal stealer has been resurrected as a new attack method to exploit the Mastodon social media network to obtain C2 configurations.
https:// blog.cyberint.com/vidar-stealer-abuses-mastadon-social-network
This malware has been active since at least October 2018 and has been identified in a number of different attacks.
The reason it is so widely deployed is that the tool is so effective and easy to procure through the Telegram channel and underground forums, where it is sold for as low as $150.
The data that Vidar tries to steal from infected machines includes the following.
- All common browser information such as passwords, cookies, history, credit card details
- Cryptocurrency wallets
- Files according to the regular expression string given by the TA
- Windows version of Telegram credentials
- File transfer application information (WINSCP, FTP, FileZilla)
- Mail application information
The unique feature of this attack is that Vidar exploited Mastodon, a popular open source social media network, to obtain dynamic configuration and C2 connections.
The threat group will set up an account on Mastodon and add the C2 IP used by the thief in the description field of their profile.
Mastodon is a trusted platform, so you won’t see any warnings in security tools. At the same time, Mastodon is a relatively unmonitored space, so it is unlikely that such malicious profiles will be discovered, reported, and removed.
According to researchers at Cyberint, who discovered this attack, each C2 they found contained between 500 and 1,500 different attack IDs, indicating the widespread nature of Vidar’s deployment.
At runtime, a POST request is sent for configuration, and then Vidar retrieves six dependent DLLs from the C2 server via a series of GET requests. These are legitimate 3rd party DLLs such as Network Services, MS Visual Studio Runtime, etc.
Using these DLLs, Vidar steals data such as email credentials, chat account details, web browsing cookies, etc., compresses it all into a ZIP archive, and forwards the archive to the attacker via HTTP POST.
Once this is done, Vidar will terminate its own process, delete the DLL and the main executable, and attempt to erase all evidence of its presence on the victim’s machine.
To avoid being plagued by the nasty Vidar infection, beware of spam emails that talk about pending orders, payments, package deliveries, etc.
Another option is to distribute them through direct messages on popular social media platforms or by mixing them into game cracks downloaded from torrents.
Comments