Vidar Stealer Abuses Mastadon Social Network

Introduction

Previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors, new campaigns of Vidar Stealer’s more recent versions suggesting a new venue where Vidar receives dynamic configurations and dropzone information for downloading and uploading files.

First seen in October 2018, Vidar is a descendent of the former Arkei Stealer, which at the moment looks like one of the most popular stealers due to its simplicity, dynamic configuration methods and ongoing development. In addition to their new method of obtaining dynamic configuration, Vidar developers improved and centralized the execution vector, making each stealer independent with no additional executables required.

Vidar is being sold for between $150-750, mainly in underground forums and on various Telegram channels (Figure 1).

The data Vidar is looking to grab may vary, but in most cases, it includes:

• All popular browser information such as passwords, cookies, history and credit cards details.
• Cryptocurrency wallets.
• Files according to regex strings given by the TA.
• Telegram credentials for Windows versions.
• File transfer application information (WINSCP, FTP, FileZilla)
• Mailing application information.

Vidar’s victimology is a combination of private people, streamers and social influencers worldwide. In some cases, mostly in malspam campaigns, targets are manufacturing companies and financial institutes.

Delivery

Although the delivery method can vary between campaigns, unsolicited malicious email (malspam) remains one of the popular methods threat actors use to lure victims into downloading and executing Vidar. It makes use of content related to urgent or pressing matters such as new orders, payments and quotations, as well as the apparent reuse of prior legitimate email threads.

Another delivery method, which might indicate a smaller-scale campaign, is via direct messaging on social networks (Facebook, Instagram, Twitter, etc.), false advertisements within different gaming forums for cheat engines, cracks and more.

Post Infection

Vidar Stealer’s approach is somewhat similar to most other stealer threats, focusing on the theft of credentials from familiar applications, browsers and credentials stores as well as the acquisition of potentially sensitive and valuable data from a victim’s machine, such as cryptocurrency wallets or other files.

Before taking any action, Vidar looks for the default language of the operation system and aborts it’s actions in cases of the states of the former USSR.

Command and Control Connectivity

One of Vidar’s unique behaviors is in obtaining dynamic configuration and C2 connectivity. Once executed, Vidar’s first step is to receive its configuration, by abusing the Mastadon social network.

Mastadon, is an open-source social network that imitates Twitter on many levels. Recent cases suggest that threat actors set up social profiles (Figure 2) in Mastadon as a communication channel with the stealers. The social profiles don’t contain much more than a random post. The description of the profile contains the IP of the C2 the stealer should communicate with to receive configuration, dependency files and the location to which to upload its stolen data.

Configuration

Vidar connects to a predefined user within the Mastadon network via an HTTPS protocol so it can access the C2 IP for further instructions. Once done, Vidar uses a POST request with campaign ID in the URL (Figure 3). In return it receives the relevant configuration.

Each C2 observed in our research contained between 500-1500 different campaign IDs, which indicated the scale and popularity of this type of stealer. The configuration received from the C2 contains flags, directories to search and a regex list of filenames to grab.

Dependencies:

Upon execution, Vidar Stealer will attempt to acquire its dependencies from the C2 server via a series of GET requests for six Dynamic Links Libraries (DLL) Files (Figure 4).

The files are in fact legitimate third-party DLL used to support access to data of various applications and/or browsers:

• freebl3.dll, mozglue.dll, nss3.dll & softokn3.dll – Network Security Services and supporting libraries used by Mozilla products such as Firefox and Thunderbird
• msvcp140.dll & vcruntime140.dll – Microsoft Visual C++ redistributable for Visual Studio 2015

The resulting files are downloaded to %PROGRAMDATA%.

Data Exfiltration

Vidar Stealer stores all acquired data in preparation for data exfiltration, including credentials from a variety of chat, email, FTP and web-browsing applications, as well as cryptocurrency wallets, a desktop screenshot and details of the system configuration (Figure 5) in a working directory created by using a random 25-character name.

Subsequently, Vidar Stealer exfiltrates this data to its C2 server via a HTTP POST request (Figure 6) including the created Zip archive, system metadata (hardware ID, OS, platform, stealer’s profile, stealer’s version, user account and more).