Do Son 
Visualization of how the structures are nested within a single KeyRing node | Image: Gen Digital
Gen Digital researchers recently discovered a new Vidar ABE bypass technique. The Vidar infostealer malware extracts the master key directly from browser memory. This key decrypts sensitive data tied to specific applications. Attackers use this method to steal user credentials.
- Malware Family: Vidar
- Threat Actor: Suspected financially motivated groups
- Target: Windows web browsers
- Delivery Vector: Malicious downloads and phishing
- Key Capabilities: Memory scanning, APC injections, Application-Bound Encryption bypass
- Source: Gen Digital
TL;DR
The Vidar infostealer malware targets Application-Bound Encryption. It uses process forking to locate encrypted keys. Finally, it uses APC injections to decrypt and steal these keys.
Malware Delivery Methods
Infostealers typically arrive via malicious downloads or phishing emails. Users often execute the malware unknowingly. Once active, the Vidar infostealer malware quickly targets browser data. It specifically hunts for the master key. This key unlocks passwords and cookies.
The Infection Chain
The Vidar ABE bypass technique begins with memory scanning. The malware needs a browser process to scan. It reuses an existing process if one is running. However, it does not read the live memory directly. Instead, Vidar creates a fork of the browser. The report notes, “The resulting process has no threads and is never resumed.” This fork acts as a static memory snapshot.
Next, the malware scans the forked memory. Up to 64 worker threads search for a specific 32-byte pattern. This pattern indicates the location of the encrypted key. Vidar collects the best candidate addresses from this scan. It ignores candidates filled mostly with zeroes.
Command and Control Behavior
The malware must decrypt the key to exfiltrate data. The key uses strict memory protection. Therefore, only the original browser process can decrypt it. Vidar solves this problem cleverly. It injects an Asynchronous Procedure Call (APC) into the live browser.
The malware uses different APC methods based on installed antivirus software. The APC forces the browser to decrypt the key. Vidar then creates a second process fork. It reads the newly decrypted key from this second snapshot.
“Whenever the data has changed, Vidar re-encrypts the key in the browser’s memory,” the researchers explain. This action preserves the browser’s normal state. Finally, the malware steals the user data. It sends this decrypted data back to the attacker’s server.
Defense and Detection Guidance
Defenders must monitor for suspicious process behaviors. Analysts detail these findings in their Gen Digital threat report. Security teams should watch for unauthorized browser process forking.
Additionally, administrators must monitor for unusual APC injections targeting browser threads. These actions provide strong behavioral signals for the Vidar ABE bypass technique. Endpoint detection systems can flag these specific API calls. Organizations should isolate machines exhibiting this anomalous memory access behavior.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
