Vidar InfoStealer

From 25 to 30 June, we observed a malicious spam (malspam) email campaign distributing the Vidar information stealer (infostealer), which is a variant of the Arkei infostealer. ¹

Threat actors can reportedly purchase Vidar in online forums for $250.² It has the ability to steal credit cards, usernames, passwords, and files, as well as take screenshots of the user’s desktop.³ It can also steal wallets for cryptocurrencies such as Bitcoin and Ethereum.

Two-factor authentication (2FA) is an additional security layer for user accounts, typically requiring a one-time use code in addition to a password to sign in to an account. Vidar specifically targets the 2FA software Authy in order to bypass this added hurdle for gaining access to an account.⁴

In this campaign, the threat actor sent emails with multiple subjects referencing a successful payment, such as “Confirmation of Payment” and “Your Transaction was Approved.” Each email had a generic message body that resembled an invoice, with “Payment receipt attached” at the end. Unlike typical malspam attacks, wherein the malware runs when the user opens the file, Vidar does not execute until the user closes the file.

Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.

Endnotes

1. https://any.run/malware-trends/vidar
2. https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/
3. https://isc.sans.edu/forums/diary/What+data+does+Vidar+malware+steal+from+an+infected+host/25398/
4. https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/