Vidar infostealer is a malware that steals sensitive information from cryptocurrency wallets, web browsers, and other applications like WinSCP, Telegram, and Authy 2FA on infected Windows endpoints. It can collect saved credentials, hardware, and software information on infected endpoints. The malware sends the stolen data to a remote command and control (C2) server.
Previously, Vidar communicated with C2 servers that were hard-coded inside the malware. Recently, the malware communicates with continuously changing C2 servers that it receives from legitimate websites. These constantly changing C2 servers make it difficult for security teams to decide what to block.
Threat actors usually distribute Vidar through phishing emails, cracked versions of commercial applications, and keygens. Recently, threat actors have abused AnyDesk and Notepad++ to distribute this malware.
This blog post shows how we use Wazuh to detect Vidar on an infected Windows endpoint.
Behavioral analysis of Vidar infostealer
- Vidar downloads
freebl3.dll
,mozglue.dll
,msvcp140.dll
,nss3.dll
,softokn3.dll
, andvcruntime140.dll
from a C2 server and saves them in theC:\ProgramData
folder of the infected endpoint. Vidar uses these DLL files to steal information from the infected endpoint. - The malware creates a
C:\ProgramData\<RANDOM_FOLDER>\files
folder. This folder contains subfolders and files that store stolen data from the infected endpoint. - Vidar archives the stolen data into
C:\ProgramData\<RANDOM_FOLDER>\<MACHINE_GUID>.zip
and sends it to a C2 server. - The malware finally deletes itself and the files it creates from the infected endpoint by executing the following command:
> C:\Windows\System32\cmd.exe /c taskkill /im <VIDAR_EXECUTABLE> /f & timeout /t 6 & del /f /q \" <VIDAR_FILEPATH>\" & del C:\ProgramData\*.dll & exit
Infrastructure
To demonstrate how Wazuh can detect Vidar, we use the following infrastructure:
- A pre-built ready-to-use Wazuh OVA 4.3.10. Follow this guide to download the virtual machine.
- A Windows 10 victim endpoint that has the Wazuh agent 4.3.10 installed. To install the Wazuh agent, refer to the following guide.
Detection with Wazuh
In this blog post, we use the following techniques to detect the malicious activities of Vidar on a Windows 10 endpoint:
- VirusTotal integration: To detect Vidar malware files on a Windows endpoint.
- Detection rules: To detect malicious activities performed by Vidar malware.
VirusTotal integration
VirusTotal is an online service that analyzes files, domain names, URLs, and IP addresses for threat detection. Wazuh has out-of-the-box integration with VirusTotal, which relies on the Wazuh file integrity monitoring (FIM) module to detect malicious file hashes.
Victim endpoint
Perform the following steps to configure FIM on the victim endpoint.
1. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf
file.
2. Add the below configuration within the <syscheck>
block to monitor the Downloads
folders of all users in real-time:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note
In this blog post, we monitor the Downloads
folder of all users. However, you can configure other folders you wish to monitor.
3. Launch PowerShell with administrative privilege, and restart the Wazuh agent for the changes to take effect:
> Restart-Service -Name wazuh
Wazuh server
Perform the following steps to configure VirusTotal integration on the Wazuh server.
1. Edit the Wazuh server /var/ossec/etc/ossec.conf
file by adding the following configuration within the <ossec_config>
block:
<integration> <name>virustotal</name> <api_key>{VIRUSTOTAL_API_KEY}</api_key> <group>syscheck</group> <alert_format>json</alert_format> </integration>
Where {VIRUSTOTAL_API_KEY}
represents the API key obtained from the VirusTotal website.
2. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Testing the VirusTotal integration
The image below shows FIM and VirusTotal alerts when we add the Vidar malware file to the Downloads
folder.
Using detection rules
We use Sysmon to monitor several system events and create rules on the Wazuh server to detect the malicious activities of Vidar malware.
Follow the steps below to detect the malicious activities performed by Vidar malware on the Windows endpoint.
Victim endpoint
Perform the following steps to install Sysmon on the victim endpoint and configure the Wazuh agent to collect Sysmon logs.
1. Download Sysmon and the configuration file sysmonconfig.xml.
2. Edit the sysmonconfig.xml
file and include the below configuration within the <EventFiltering>
block:
<!-- This configuration detects when Vidar downloads, creates and loads malicious files inside the ProgramData folder --> <RuleGroup groupRelation="or"> <FileCreate onmatch="include"> <TargetFilename condition="contains">\ProgramData\</TargetFilename> </FileCreate> </RuleGroup>
3. Launch PowerShell with administrative privilege, and install Sysmon as follows:
> .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml
4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf
file and include the following settings within the <ossec_config>
block:
<!-- Configure Wazuh agent to receive events from Sysmon --> <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
5. Restart the Wazuh agent for the changes to take effect:
> Restart-Service -Name wazuh
Wazuh server
Perform the following steps to configure detection rules on the Wazuh server.
1. Create the file /var/ossec/etc/rules/vidar_info_stealer.xml
on the Wazuh server:
# touch /var/ossec/etc/rules/vidar_info_stealer.xml
2. Edit the file /var/ossec/etc/rules/vidar_info_stealer.xml
and include the following detection rules for Vidar malware:
<group name="windows,sysmon,vidar_detection_rule,"> <!-- Vidar downloads malicious DLL files on victim endpoint --> <rule id="100084" level="10"> <if_sid>61613</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field> <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\ProgramData\\\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field> <description>Possible Vidar malware detected. $(win.eventdata.targetFilename) was downloaded on $(win.system.computer)</description> <mitre> <id>T1056.001</id> </mitre> </rule> <!-- Vidar loads malicious DLL files --> <rule id="100085" level="12"> <if_sid>61609</if_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\.+(exe|dll|bat|msi)</field> <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\\\programdata\\\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field> <description>Possible Vidar malware detected. Malicious $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image)</description> <mitre> <id>T1574.002</id> </mitre> </rule> <!-- Vidar deletes itself or a malicious process it creates --> <rule id="100086" level="7" frequency="5" timeframe="360"> <if_sid>61603</if_sid> <if_matched_sid>100085</if_matched_sid> <field name="win.eventdata.image" type="pcre2">(?i)\\\\cmd.exe</field> <match type="pcre2">cmd.exe\\" /c timeout /t \d{1,}.+del /f /q \\".+(exe|dll|bat|msi)</match> <description>Possible Vidar malware detected. Malware deletes $(win.eventdata.parentCommandLine)</description> <mitre> <id>T1070.004</id> </mitre> </rule> </group>
Where:
- Rule ID
100084
is triggered when Vidar malware downloads malicious DLL files on the victim endpoint. - Rule ID
100085
is triggered when Vidar loads the downloaded malicious DLL files. - Rule ID
100086
is triggered when Vidar malware deletes itself or a malicious process.
3. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Testing the detection rules
The alerts below are generated on the Wazuh dashboard when we run Vidar on the Windows endpoint.
Conclusion
In this blog post, we have successfully used Wazuh to detect the behavior of Vidar malware. Specifically, we used VirusTotal and Sysmon integration with Wazuh to detect Vidar malware on a Windows endpoint.
Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.