The NJCCIC has observed a rise in attacks distributing Vidar Stealer. Vidar operates as a Malware-as-a-Service (MaaS) information stealer and was first identified in 2018. It can gather passwords, cookies, auto-fill data, cryptocurrency wallets, files, device information, and installed software. Over time, it has experienced many updates and improvements, including a recent change that shifted the base script from C++ to C. Some of the new features of the 2.0 version include:

• Using a “reflective DLL injection” method to retrieve encryption keys directly from a browser’s active memory, bypassing security features used by popular browsers.
• Hiding its Command & Control (C2) server addresses in the descriptions of legitimate social media profiles on platforms, making its network traffic look like normal social media browsing.
• Adding “null bytes” to its executable to trick anti-virus (AV) software, expanding the file to over 500MB. Many AV scanners ignore files this large to conserve system resources.

Since Vidar is sold as part of a MaaS model, there are several distribution methods to watch for. One common method involves compromised websites that often unknowingly host the malicious ClickFix lure. If the end user follows the instructions from the prompt, Vidar will be downloaded and installed on their device. Other observed distribution methods include mentions in YouTube video descriptions, bundling with pirated software downloads, pretending to be gaming cheats or mods, and appearing as legitimate downloads for popular free software.

Recommendations

• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Users should only submit account credentials on official websites.
• Users are advised to only download applications and software from official sources.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• If you suspect an account has been compromised, change the account’s password immediately and ensure MFA is enabled for all online accounts.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.