Vidar Information Stealing Trojan
Vidar is an information stealing trojan based on the Arkei malware. It is available for purchase on several dark web forums and can be operated on an as-a-service basis.
At the time of publication, Vidar appears to be delivered solely by the Fallout and GrandSoft exploit kits, although this is likely to change as more affiliate users begin to distribute Vidar in their own campaigns.
The malware is sold on the black market for around $700, and also comes with its own Command & Control shop portal where additional payloads can be added to the initial one.
Once installed, Vidar can collect a wide variety of data, including:
- User and system information
- Banking credentials and payment card details
- Application login details
- Browser histories, including the Tor browser
- Cryptocurrency wallet keys
- Email and message conversations
Affiliate users can customise the types and amount of data Vidar collects through a web portal. Collected information is sent to a command and control server via unencrypted HTTP POST requests.
Affected Platforms:
- Microsoft Windows – All versions
Indicators of Compromise (IOCs)
Vidar binary
E99DAF10E6CB98E93F82DBE344E6D6B483B9073E80B128C163034F68DE63BE33
Vidar C2
kolobkoproms[.]ug
Loader URL (GandCrab)
ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe
GandCrab binary
ABF3FDB17799F468E850D823F845647738B6674451383156473F1742FFBD61EC
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.