Ddos 
Vidar Stealer, a notorious information-stealing malware that first emerged in 2018, continues to pose a significant threat by employing new distribution methods and evasion techniques. G DATA Security Lab’s analysis has uncovered a recent instance where Vidar Stealer was disguised within a legitimate system information tool.
Vidar Stealer functions as Malware-as-a-Service (MaaS) and is used by cybercriminals to steal sensitive data, including browser cookies, stored credentials, and financial information. Its distribution methods have evolved over time, from malicious email attachments to malvertising campaigns, and now, even the compromise of legitimate software.
In a recent analysis, G DATA Security Lab encountered a Vidar Stealer sample disguised as BGInfo.exe, a legitimate Microsoft Sysinternals tool. BGInfo is commonly used by IT professionals to display key system details on the desktop background, making it a trusted utility.
The malicious sample exhibited several red flags:
- Expired Signature: The file had an expired Microsoft signature, an immediate cause for suspicion.
- File Size Discrepancy: The malicious file was significantly larger than the official BGInfo.exe (10.2 MB vs. 2.1 MB).
- Different File Hashes: Cryptographic hashes of the official and malicious versions were different.
These discrepancies indicate that the legitimate BGInfo.exe had been tampered with to conceal the Vidar Stealer payload.
The analysis revealed that the malware modifies the initialization routine of BGInfo.exe to redirect execution flow to the Vidar Stealer code. This involves overwriting the address of RtlUserThreadStart, a key function for starting threads, to hijack the process.
The malware then allocates memory, drops, and executes the Vidar Stealer binary.
The analyzed Vidar Stealer variant demonstrates the typical capabilities of this malware:
- Credential Theft: It steals usernames and passwords from browsers and applications.
- Cryptocurrency Wallet Theft: It targets cryptocurrency wallets.
- Session Hijacking: It steals session tokens to bypass authentication.
- Cloud and Storage Data Theft: It extracts stored credentials from cloud services and file transfer applications.
The G DATA Security Lab analysis underscores Vidar Stealer’s adaptability. By disguising itself within trusted tools like BGInfo.exe, it effectively bypasses security measures.
Related Posts:
- Squid Web Proxy: Revealing Critical Vulnerabilities
- Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
- Expired Tokens Still Active in JetBrains TeamCity, Urgent Update Required
- Linux Kernel Privilege Escalation Vulnerability (CVE-2024-27397) Exploited: PoC Released
About The Author
