What is Vidar Malware?

Vidar is an infostealer malware  operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware. Since its emergence in 2018, Vidar has grown to one of the most successful infostealers in the business. According to Check Point’s 2022 Cyber Security report, the malware was the fourth most common infostealer malware worldwide.

Request a Demo Get the Security Report

How Does It Work?

The Vidar malware is typically delivered via email, recently,  in many campaigns as an ISO file, which is a disk image file format commonly used by malware authors to package their malware. In Vidar’s case, the malicious ISO has been embedded in fake installers for legitimate software such as Adobe Photoshop and Microsoft Teams, delivered via the Fallout exploit hit, and sent as an attachment to phishing emails.

Once the malware reaches an infected machine, it uses a few different techniques to protect against detection. Among these are the use of a large executable file — designed to defeat antivirus scanners — and files digitally signed with an expired and potentially breached Avast digital certificate.

Vidar is an infostealer and frequently uses social media as part of its command and control (C2) infrastructure. The IP address of the C2 infrastructure will be embedded in a user profile on platforms like Mastodon or Twitter. The malware can access this profile, contact the indicated IP address, and download configuration files, instructions, and additional malware.

The Threat

Vidar is primarily an infostealer, meaning that it is designed to collect a variety of sensitive information from an infected computer and exfiltrate this data to an attacker. Some examples of the information that Vidar collects from infected computers, browsers, and digital wallets include the following:

  • OS data
  • Account credentials
  • Credit card data
  • Browser history

In addition to collecting sensitive data, Vidar can also be used as a downloader for other malware. The C2 server can specify a link that the malware will download a file to and then execute it. This has allowed Vidar operators to sell access to infected machines to other cybercriminals, who deploy ransomware.

How to Protect Against Vidar Malware

Vidar is an infostealer malware that can also be used to deliver additional forms of malware. Some of the ways that an organization can protect against this malware threat include the following:

  • Employee Training: Vidar is commonly distributed via phishing emails or fake downloads of legitimate software, which actually deliver the malware. Training employees to recognize and respond properly to malicious attachments and to avoid cracked copies of legitimate software can reduce the threat of a Vidar infection.
  • Email Security: Many Vidar campaigns deliver the malicious ISO file as an attachment to a phishing email. Email security solutions that inspect email attachments for malicious content can identify and block the Vidar malware before it reaches a user’s inbox.
  • Web Security: Vidar malware can be distributed as part of a malicious download where the malware masquerades as a free version of legitimate software. Web security solutions can identify and block malicious downloads and visits to dangerous sites before malware can reach a user’s computer.
  • Endpoint Security: Vidar is malware that may also download and execute other malware. An endpoint security solution can help to block malicious downloads and clean up infections on a computer.
  • Strong Passwords: Vidar steals credential from various locations, but some of this data may be password hashes rather than plaintext passwords. Use of strong, long, and random passwords can make them more difficult for an attacker to crack.
  • Multi-Factor Authentication (MFA): As an infostealer, user credentials are a major target of the Vidar malware. Deploying MFA wherever possible can make it more difficult for an attacker to use the credentials that they have stolen.

How Can Vidar Malware Be Removed?

Vidar is typically installed on a computer after files in its malicious ISO file are executed, either directly by a user or by a malicious installer. If an endpoint security solution is installed on a computer, it should be able to identify and remediate the infection by removing the malware from the system.

Vidar Detection and Protection with Check Point

Vidar has become one of the leading malware variants, but it is one among many. To learn about the leading malware and other cyber threats that companies face, check out Check Point’s 2022 Cyber Security report.

For Vidar and other malware, one of the most effective means of preventing and remediating infections is an endpoint security solution. Check Point Harmony Endpoint is a prevention-focused endpoint security tool that enables companies to implement enterprise-grade endpoint security at scale. To learn more about how Harmony Endpoint can help protect against malware infections and other endpoint security threats, sign up for a free demo today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.