Vidar Malware Detection: Payloads Concealed in Microsoft Help Files

A new unusual malware delivery method has been observed since February 2022. The newest research shows evidence of a resurgence of a Vidar information stealer that has been operating since at least 2018. The latest Vidar campaign is plainly straightforward except for one special trick. This time, threat actors tend to hide their payload within Microsoft’s help files.

Vidar spyware is believed to be either a fork or an evolved version of Arkei malware. Its functionality includes the ability for adversaries to set up preferences regarding type of information they want to steal. Previously Vidar was associated with stealing crypto assets, financial credentials, along with Multi-Factor Authentification (MFA) data, browser history, documents, and cookies.

Discover our newest content items below to be able to capture malicious behavior executed by Vidar infostealer. 

Vidar Spyware: How to Detect

Discover the latest detection content by our prolific Threat Bounty developers Osman Demir, Emir Erdogan, and Sittikorn Sangrattanapitak that is available right now upon logging into your account at SOC Prime’s Detection as Code platform. The rules that we suggest below will help to spot the latest malicious activity involving Vidar samples.

Possible Vidar Stealer Clean Up of Files (via process_creation)

Suspicious Vidar Malware Launcher by Disguising as Microsoft Help Files (via process_creation)

Possible Vidar/Mars Stealer File Creation (via file event)

The abovementioned rules are mapped to the most recent edition of MITRE ATT&CK® framework v.10, including the following techniques:

• Shared Modules (T1129)
• Unsecured Credentials (T1552)
• Indicator Removal on Host (T1070)
• User Execution (T1204)
• Signed Binary Proxy Execution (T1218)

Explore the comprehensive list of detection content that can help to identify a whole range of Vidar activities. Eager to craft your own detection content? Then you are very welcome to join our Threat Bounty program that unites security professionals from all around the world. Submit your unique detection content and get recurring monetary rewards for your contribution.

View Detections Join Threat Bounty

Vidar Malware Analysis

The attack vector typically starts from the delivery of malicious files through phishing campaigns. Alternative ways of Vidar delivery include distribution through PrivateLoader dropper and exploit kits like Fallout and GrandSoft.

Intelligence data indicates that attackers have been sending emails with subject lines like “Re: Unread…” to trick victims into believing that they receive a message from an ongoing communication chain with a file that they are supposed to read. The body of the email doesn’t include anything particular, stating that the attachment contains “important information”. This attachment, in turn, is an ISO file concealed under the name “request.doc”. 

The ISO is a disk image format that is used by the attackers as a malware container. As a result, a victim receives two files in this ISO attachment: CHM and EXE. Upon extraction of these two files into the same directory, the app.exe file starts running. This executable is what researchers call Vidar malware that is capable of harvesting data and sending it to command and control (C&C) server, while also evading system scanning, downloading additional malware, and deleting itself at the end of its malicious routine.

Being able to use the newest research for the right detection content at the right time might be challenging now that the cyber-attack landscape is rapidly evolving. Embrace the power of collaborative cyber defense by joining our SOC Prime Detection as Code platform where you can instantly access and deploy rules created by the brightest minds of our global cybersecurity community.