Skip to main content

Vidar stealer: A deeper look

A man sees a Vidar malware warning on his laptop.

Malicious actors have many tools in their arsenal to steal information from unsuspecting targets. In recent years, the Vidar stealer has become increasingly common. This particular malware is highly effective at stealthily infecting devices to steal a wide range of information and relaying it back to the attacker.

But what is Vidar stealer, and how do these attacks work?

What is a Vidar stealer?

Vidar stealers—sometimes called Vidar spyware—are specific types of malware that aim to attack devices and steal personal information and details of cryptocurrency wallets within the device's system. However, Vidar is also sometimes used as a method of delivering ransomware to devices.

Although Vidar botnets have been in existence since 2018, their exact origins were unclear. In an interview in November 2023, however, the authors confirmed that the malware is an evolution of the Arkei trojan. It operates as a malware-as-a-service and can be purchased directly from the developer’s website on the dark web.

The Vidar malware is particularly renowned for the way it utilizes Command and Control Infrastructure (or C2 communication). This occurs mostly through social media networks such as Telegram and Mastodon, and more recently on the social gaming platform Steam.

How does Vidar stealer work?

Vidar usually uses social media for its C2 infrastructure and as part of its process. Often, the address to a specific social network profile will be embedded within the Vidar malware, and this will have the relevant C2 IP address in its specifications. This allows the spyware to take control of the profile, which includes communicating with the IP address, downloading files and instructions, and even installing more malware.

However, because the Vidar botnet is, at its core, an infostealer, its primary function is to harvest sensitive information from an infected device and send this data to the attacker. There are many different types of information that Vidar can steal, including:

  • Operating system data
  • Login credentials
  • Credit card or bank information
  • Browser history
  • Browser cookies
  • Software installed on the device
  • Downloaded files
  • Cryptocurrency wallets—specifically, Exodus, Ethereum, MultiDoge, Atomic, JAXX, and ElectronCash
  • Screenshots
  • Emails
  • FTP credentials

In some cases, when Vidar is specifically used to install malware on a device, it uses its C2 infrastructure to specify a link from which to download the infected file, and then execute it. This gives the attacker access to the device, and they can use this for their own purposes, or sell this on the dark web to other cybercriminals.

Once downloaded onto a machine, it utilizes several methods to remain undetected. Often, Vidar stealers will use a large executable file to avoid detection by antivirus scanners. In close analyses, experts have discovered that Vidar samples contain null bytes at the end of the file (or zeroes at the end of a .exe file), which artificially inflates the file size. Because the file size is so big, it often exceeds the file limits of anti-malware software, which then chooses to skip analyzing the file. In addition, Vidar files often use string encoding and encryption to make them more challenging for protective software to analyze. It also uses files that have been authenticated with expired digital certificates.

After infecting the device in question and stealing as much information as possible, the Vidar trojan packs all the data into a ZIP file and sends it to the command server. The malware then self-destructs and deletes all evidence of its existence within the device’s system. Because of this, investigating Vidar malware attacks can be very difficult.

How does Vidar spread?

Vidar malware is almost always spread through spam emails. The target generally receives an unsolicited — but innocuous-looking — email that resembles an invoice for an online purchase or a confirmation of a subscription renewal. The email will usually have an attachment, which the target is directed to open for more information. However, the Vidar malware is embedded in the attachment and when the target opens it, the malware is deployed.

Most commonly, the attachment is a Microsoft Office document that uses a macros script. As such, once the document is opened, the user is asked to enable macros execution. Once they do this, the device connects to the malware server and enables the download of the Vidar stealer. To mitigate attacks by Vidar malware, Microsoft changed the way its macros execution operates.

However, this meant that cybercriminals simply found different ways to spread the Vidar trojan. These include:

  • Attachment ISO files: Vidar malware can also be delivered as an attachment ISO file through email, such as an infected Microsoft Compiled HTML Help (CHM) file and executable "app.exe" file, which launches the malware when the attachment is opened
  • .zip archives: in one particular case, attackers impersonated fashion brand H&M to send phishing emails that directed recipients to a Google Drive folder, from which they would need to download a .zip archive to access a contract and payment information. The file would then launch the Vidar stealer attack from there.
  • Fraudulent installers: attackers can embed the Vidar spyware into a fraudulent installer for legitimate software that users may download — such as Adobe Photoshop or Zoom — and deliver it to targets as an attachment in a spam email
  • Google Search ads: more recently, one of the most common ways to circulate Vidar is through Google Search ads that have the malware embedded within their script. The attacker creates Google Ads that closely imitate those from a legitimate software publisher, and when unsuspecting users download this software and run it, the malware is executed and infects their device.
  • Ransomware associations: in some cases, the Vidar botnet has executed attacks in conjunction with various ransomware, such as STOP/Djvu and GandCrab, or malware like PrivateLoader and Smoke. In these highly malicious attacks, the two malware have been spread together, leading to more extensive infections, data stealing — and problems for the user whose device is infected.

How to protect against Vidar stealer: 5 essential tips

The Vidar stealer represents a because not only can it steal user data and system information, but it can also be used to deliver more types of malware. Because of this, individuals and organizations need to take steps to avoid the chances of attacks by a Vidar trojan. Here are five preventative measures that can be useful:

  1. Use antivirus and web protection software that monitors for these kinds of cyber threats and neutralizes them.
  2. Employ email security solutions to scan all incoming emails and block potentially suspicious messages.
  3. Remember best practices around passwords, including using a password manager, creating complex passwords, and regularly changing them.
  4. Keep all software and operating systems up to date to ensure the latest security patches are deployed.
  5. Regularly run full system scans on computers to check for any undetected Vidar spyware or other infections and remove them.

These should form part of a wider strategy to combat potential security breaches and malicious activity, including using a virtual private network (VPN) to mask the device’s IP address and encrypt all online activity.

Vidar Stealer: A persistent threat

Vidar malware is highly technical spyware. Although these attacks often begin with a spam email, ads, cracked software or other means, they are often more nefarious because of the sheer amount of information Vidar can steal. This gives the attacker a massive amount of information to execute further crimes—or sell on the dark web. However, by keeping basic internet and email safety best practices in mind, it is possible to minimize the threat of Vidar and the success of these attacks.

Get Kaspersky Premium + 1 YEAR FREE Kaspersky Safe Kids. Kaspersky Premium received five AV-TEST awards for best protection, best performance, fastest VPN, approved parental control for Windows and best rating for parental control Android.

Related Articles and Links:

Related Products and Services:

Vidar stealer: A deeper look

The Vidar stealer is a technical malware used to infect devices and steal information. Here’s how it works and how to take preventative measures.
Kaspersky logo

Featured posts