Vidar is an infostealer malware operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware. Since its emergence in 2018, Vidar has grown to one of the most successful infostealers in the business. According to Check Point’s 2022 Cyber Security report, the malware was the fourth most common infostealer malware worldwide.
The Vidar malware is typically delivered via email, recently, in many campaigns as an ISO file, which is a disk image file format commonly used by malware authors to package their malware. In Vidar’s case, the malicious ISO has been embedded in fake installers for legitimate software such as Adobe Photoshop and Microsoft Teams, delivered via the Fallout exploit hit, and sent as an attachment to phishing emails.
Once the malware reaches an infected machine, it uses a few different techniques to protect against detection. Among these are the use of a large executable file — designed to defeat antivirus scanners — and files digitally signed with an expired and potentially breached Avast digital certificate.
Vidar is an infostealer and frequently uses social media as part of its command and control (C2) infrastructure. The IP address of the C2 infrastructure will be embedded in a user profile on platforms like Mastodon or Twitter. The malware can access this profile, contact the indicated IP address, and download configuration files, instructions, and additional malware.
Vidar is primarily an infostealer, meaning that it is designed to collect a variety of sensitive information from an infected computer and exfiltrate this data to an attacker. Some examples of the information that Vidar collects from infected computers, browsers, and digital wallets include the following:
In addition to collecting sensitive data, Vidar can also be used as a downloader for other malware. The C2 server can specify a link that the malware will download a file to and then execute it. This has allowed Vidar operators to sell access to infected machines to other cybercriminals, who deploy ransomware.
Vidar is an infostealer malware that can also be used to deliver additional forms of malware. Some of the ways that an organization can protect against this malware threat include the following:
Vidar is typically installed on a computer after files in its malicious ISO file are executed, either directly by a user or by a malicious installer. If an endpoint security solution is installed on a computer, it should be able to identify and remediate the infection by removing the malware from the system.
Vidar has become one of the leading malware variants, but it is one among many. To learn about the leading malware and other cyber threats that companies face, check out Check Point’s 2022 Cyber Security report.
For Vidar and other malware, one of the most effective means of preventing and remediating infections is an endpoint security solution. Check Point Harmony Endpoint is a prevention-focused endpoint security tool that enables companies to implement enterprise-grade endpoint security at scale. To learn more about how Harmony Endpoint can help protect against malware infections and other endpoint security threats, sign up for a free demo today.
Harmony Endpoint Solution Brief