Full Report
Deep Dive analysis of an Vidar Stealer
Analysis Summary
# Tool/Technique: .NET Loader (Vidar Stealer Delivery)
## Overview
A custom .NET loader used as the initial dropper within a phishing campaign targeting content creators. Its primary purpose is to unpack, decrypt, and inject the final Vidar stealer payload into a host process.
## Technical Details
- Type: Tool / Loader (Part of a multi-stage malware delivery chain)
- Platform: Windows
- Capabilities: De-obfuscation, resource extraction, XOR decryption, process injection.
- First Seen: Related to a recent phishing campaign description.
## MITRE ATT&CK Mapping
- T1055 - Process Injection
- T1055.001 - Process Injection: Dynamic-link Library Injection (Implied pathway via data injection)
- T1027 - Obfuscated Files or Information
- T1027.002 - Compile-Time Intrusions (Loader exhibits code obfuscation)
## Functionality
### Core Capabilities
- **Protection Evasion:** Protected using **Smart Assembly**.
- **De-obfuscation:** Utilizes tools like Simple Assembly Explorer (SAE) to deobfuscate the code structure.
- **Resource Fetching:** Extracts an encrypted payload stored as a binary resource within the assembly, keyed by the string "fInckSommmenn".
- **Payload Decryption:** Uses an XOR routine (with key derived from "fInckSommmenn") to decrypt the extracted resource content, resulting in the Vidar binary payload.
- **Process Injection:** Injects the decrypted binary into a target process using methods related to instance `c000009` and method calls like `c000066.m00002a`.
### Advanced Features
- **Anti-Analysis Scripting:** The analysis required custom PowerShell scripts to replicate the loader's internal logic to extract the decrypted binary without executing it dynamically, demonstrating complexity in static analysis.
## Indicators of Compromise
- File Hashes:
- `H&M Corporation Advertising Contract.zip`: 4d9697358936b516ecd2dd96687649fc1a8b1e8fd4529961dfa49513c85b42c5
- `.scr` file: 203b08962eba219761690043281f81fc2d6e1fa26702bfa4ad30d9849b267309
- Extracted Payload (`vidar.bin`): dd15f493fc13d00bb1abc0ac20bb0f7dc44632e71b4fcde1c2889fc34dff6c14
- File Names: `H&M Advertising contract and Payment information.pdf.scr`, `H&M Corporation Advertising Contract.zip`
- Registry Keys: [Not mentioned in context]
- Network Indicators:
- Fetching URLs: `https://steamcommunity[.]com/profiles/76561199476091435`, `https://t[.]me/gurutist`
- C2 Servers: `195[.]201[.]44[.]125`, `23[.]88[.]36[.]149:80`, `95[.]216[.]164[.]28:80`
- Behavioral Indicators: Loading/execution of 32bit .NET assemblies exhibiting resource decryption operations before performing process injection.
## Associated Threat Actors
- Unknown group leveraging Vidar Stealer in broad phishing campaigns targeting content creators.
## Detection Methods
- Signature-based detection: YARA/AV signatures for the known file hashes.
- Behavioral detection: Monitoring for .NET assemblies exhibiting heavy obfuscation (Smart Assembly) followed immediately by resource access and process injection routines.
- YARA rules: Mention of specific YARA hunts being performed on UnpackMe.
## Mitigation Strategies
- User education regarding unsolicited collaboration emails, especially those requiring downloading and executing archives containing `.scr` files disguised as PDFs.
- Network filtering to block connections to known C2 IP addresses and Telegram/Steam community links used for campaign infrastructure.
- Application Control policies to restrict the execution of known malicious file types (e.g., `.scr`).
## Related Tools/Techniques
- Vidar Stealer (The final payload).
- Smart Assembly (Obfuscation tool used on the loader).
- Simple Assembly Explorer (Tool mentioned for deobfuscating the loader).
***
# Tool/Technique: Vidar Stealer
## Overview
Vidar is an information-stealing malware designed to harvest sensitive data, credentials, and cryptocurrency wallets from compromised systems. This instance was delivered via a multi-stage phishing attack.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (32-bit C/C++ binary)
- Capabilities: Data exfiltration, evasion, string encryption, anti-analysis checks.
- First Seen: Vidar has been active for several years; this is a recent variant.
## MITRE ATT&CK Mapping
- T1003 - OS Credential Dumping
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1552 - Credentials from Password Stores
- T1552.001 - Credentials from Password Stores: Credentials from Web Browsers
- T1041 - Exfiltration Over C2 Channel
- T1082 - System Information Discovery
- T1490 - Inhibit System Recovery (Implied by anti-analysis)
## Functionality
### Core Capabilities
- **String Encryption:** Malicious strings are XOR-encrypted and decrypted dynamically at runtime using key lengths up to 15 bytes.
- **API Resolution:** Uses dynamic API resolution functions.
- **Data Theft:** Core functionality revolves around stealing information (credentials, browser data, crypto wallets).
### Advanced Features
- **Anti-Analysis/Anti-VM Checks:**
1. **Memory Check:** Terminates if physical memory is less than 769MB.
2. **System Identification:** Terminates if Computer Name matches "HAL9TH" or Username matches "JohnDoe".
- **Disassembly/Decompilation Evasion:** The binary heavily employs techniques to confuse reverse engineering tools:
- **Corrupted Entry Point:** `WinMain` is initially disassembled incorrectly as instructions rather than a function header.
- **Opaque Predicates:** Uses complex conditional logic that always resolves to the same outcome (`True` being the only possible path) to break decompiler output and analysis flow.
- **Patching for Analysis:** Investigators needed to manually patch jumps (`74/? 75/?` to `EB`) via scripts to resolve control flow issues.
## Indicators of Compromise
- File Hashes:
- Extracted Payload (`vidar.bin`): dd15f493fc13d00bb1abc0ac20bb0f7dc44632e71b4fcde1c2889fc34dff6c14
- Network Indicators:
- C2 Servers: `195[.]201[.]44[.]125`, `23[.]88[.]36[.]149:80`, `95[.]216[.]164[.]28:80`
## Associated Threat Actors
- Vidar has historically been used by various financially motivated threat actors.
## Detection Methods
- Signature-based detection: Detection on the Vidar payload hash.
- Behavioral detection: Monitoring dynamic API calls coupled with attempts to read sensitive system files or locations known to store credentials. Detection of XOR decryption routines applied to local strings.
- YARA rules: Specific YARA rules designed to detect the binary structure, specifically targeting the Opaque Predicate patterns or XOR decryption functions.
## Mitigation Strategies
- Employ strong endpoint detection and response (EDR) capable of detecting suspicious memory access patterns typical of stealers.
- Restrict execution environment permissions to impede process injection.
- Maintain up-to-date security software, as Vidar payload signatures evolve rapidly.
## Related Tools/Techniques
- .NET Loader (Stage 1 Delivery mechanism).
- Custom XOR routines for string encryption.