Vidar infostealer is a malware that steals sensitive information from cryptocurrency wallets, web browsers, and other applications like WinSCP, Telegram, and Authy 2FA on infected Windows endpoints. It can collect saved credentials, hardware, and software information on infected endpoints. The malware sends the stolen data to a remote command and control (C2) server. 

Previously, Vidar communicated with C2 servers that were hard-coded inside the malware. Recently, the malware communicates with continuously changing C2 servers that it receives from legitimate websites. These constantly changing C2 servers make it difficult for security teams to decide what to block.

Threat actors usually distribute Vidar through phishing emails, cracked versions of commercial applications, and keygens. Recently, threat actors have abused AnyDesk and Notepad++ to distribute this malware.

This blog post shows how we use Wazuh to detect Vidar on an infected Windows endpoint.

Behavioral analysis of Vidar infostealer

  • Vidar downloads freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, and vcruntime140.dll from a C2 server and saves them in the C:\ProgramData folder of the infected endpoint. Vidar uses these DLL files to steal information from the infected endpoint.
  • The malware creates a C:\ProgramData\<RANDOM_FOLDER>\files folder. This folder contains subfolders and files that store stolen data from the infected endpoint.
  • Vidar archives the stolen data into C:\ProgramData\<RANDOM_FOLDER>\<MACHINE_GUID>.zip and sends it to a C2 server.
  • The malware finally deletes itself and the files it creates from the infected endpoint by executing the following command:
> C:\Windows\System32\cmd.exe /c taskkill /im <VIDAR_EXECUTABLE> /f & timeout /t 6 & del /f /q \" <VIDAR_FILEPATH>\" & del C:\ProgramData\*.dll & exit

Infrastructure

To demonstrate how Wazuh can detect Vidar, we use the following infrastructure:

  • A pre-built ready-to-use Wazuh OVA 4.3.10. Follow this guide to download the virtual machine.
  • A Windows 10 victim endpoint that has the Wazuh agent 4.3.10 installed. To install the Wazuh agent, refer to the following guide.

Detection with Wazuh

In this blog post, we use the following techniques to detect the malicious activities of Vidar on a Windows 10 endpoint:

  • VirusTotal integration: To detect Vidar malware files on a Windows endpoint.
  • Detection rules: To detect malicious activities performed by Vidar malware.

VirusTotal integration

VirusTotal is an online service that analyzes files, domain names, URLs, and IP addresses for threat detection. Wazuh has out-of-the-box integration with VirusTotal, which relies on the Wazuh file integrity monitoring (FIM) module to detect malicious file hashes.

Victim endpoint

Perform the following steps to configure FIM on the victim endpoint.

1. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file.

2. Add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note

In this blog post, we monitor the Downloads folder of all users. However, you can configure other folders you wish to monitor.

3. Launch PowerShell with administrative privilege, and restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure VirusTotal integration on the Wazuh server.

1. Edit the Wazuh server /var/ossec/etc/ossec.conf file by adding the following configuration within the <ossec_config> block:

<integration>
  <name>virustotal</name>
  <api_key>{VIRUSTOTAL_API_KEY}</api_key>
  <group>syscheck</group>
  <alert_format>json</alert_format>
</integration>

Where {VIRUSTOTAL_API_KEY} represents the API key obtained from the VirusTotal website.

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Testing the VirusTotal integration

The image below shows FIM and VirusTotal alerts when we add the Vidar malware file to the Downloads folder.

malicious vidar
Figure 1: Vidar malware detected on victim endpoint

Using detection rules

We use Sysmon to monitor several system events and create rules on the Wazuh server to detect the malicious activities of Vidar malware.

Follow the steps below to detect the malicious activities performed by Vidar malware on the Windows endpoint.

Victim endpoint

Perform the following steps to install Sysmon on the victim endpoint and configure the Wazuh agent to collect Sysmon logs.

1. Download Sysmon and the configuration file sysmonconfig.xml.

2. Edit the sysmonconfig.xml file and include the below configuration within the <EventFiltering> block:

<!-- This configuration detects when Vidar downloads, creates and loads malicious files inside the ProgramData folder -->

<RuleGroup groupRelation="or">
  <FileCreate onmatch="include">
   <TargetFilename condition="contains">\ProgramData\</TargetFilename>
  </FileCreate>
</RuleGroup>

3. Launch PowerShell with administrative privilege, and install Sysmon as follows:

> .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml

4. Edit the Wazuh agent C:\Program Files (x86)\ossec-agent\ossec.conf file and include the following settings within the <ossec_config> block:

<!-- Configure Wazuh agent to receive events from Sysmon -->
<localfile>   
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

5. Restart the Wazuh agent for the changes to take effect:

> Restart-Service -Name wazuh

Wazuh server

Perform the following steps to configure detection rules on the Wazuh server.

1. Create the file /var/ossec/etc/rules/vidar_info_stealer.xml on the Wazuh server:

# touch /var/ossec/etc/rules/vidar_info_stealer.xml

2. Edit the file /var/ossec/etc/rules/vidar_info_stealer.xml and include the following detection rules for Vidar malware:

<group name="windows,sysmon,vidar_detection_rule,">
<!-- Vidar downloads malicious DLL files on victim endpoint -->
  <rule id="100084" level="10">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\ProgramData\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field>
    <description>Possible Vidar malware detected. $(win.eventdata.targetFilename) was downloaded on $(win.system.computer)</description>
    <mitre>
      <id>T1056.001</id>
    </mitre>
  </rule>
<!-- Vidar loads malicious DLL files -->
  <rule id="100085" level="12">
    <if_sid>61609</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\.+(exe|dll|bat|msi)</field>
    <field name="win.eventdata.imageLoaded" type="pcre2">(?i)\\programdata\\(freebl3|mozglue|msvcp140|nss3|softokn3|vcruntime140)\.dll</field>
    <description>Possible Vidar malware detected. Malicious $(win.eventdata.imageLoaded) file loaded by $(win.eventdata.image)</description>
    <mitre>
      <id>T1574.002</id>
    </mitre>
  </rule>
<!-- Vidar deletes itself or a malicious process it creates -->
  <rule id="100086" level="7" frequency="5" timeframe="360">
    <if_sid>61603</if_sid>
    <if_matched_sid>100085</if_matched_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\cmd.exe</field>
    <match type="pcre2">cmd.exe\" /c timeout /t \d{1,}.+del /f /q \".+(exe|dll|bat|msi)</match>
    <description>Possible Vidar malware detected. Malware deletes $(win.eventdata.parentCommandLine)</description>
    <mitre>
      <id>T1070.004</id>
    </mitre>
  </rule>
</group>

Where:

  • Rule ID 100084 is triggered when Vidar malware downloads malicious DLL files on the victim endpoint.
  • Rule ID 100085 is triggered when Vidar loads the downloaded malicious DLL files.
  • Rule ID 100086 is triggered when Vidar malware deletes itself or a malicious process.

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Testing the detection rules

The alerts below are generated on the Wazuh dashboard when we run Vidar on the Windows endpoint.

vidar infostealer
 Figure 2: Malicious DLL files downloaded
vidar malware
Figure 3: Malicious DLL files loaded by Vidar, and Vidar deleted a malicious process.

Conclusion

In this blog post, we have successfully used Wazuh to detect the behavior of Vidar malware. Specifically, we used VirusTotal and Sysmon integration with Wazuh to detect Vidar malware on a Windows endpoint.

Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. Wazuh integrates seamlessly with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References