The Vidar stealer has reappeared in a new campaign that takes advantage of the Mastodon social media network to obtain C2 configuration without raising alerts. New campaigns of Vidar Stealer's more recent versions suggest a new venue where Vidar receives dynamic configurations and drop zone information for downloading and uploading files. Vidar Stealer previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors.
Vidar, first spotted in October 2018, is a descendant of the former Arkei Stealer, which, due to its simplicity, dynamic configuration methods, and continued development, appears to be one of the most popular stealers at the present. Vidar developers refined and centralized the execution vector, making each stealer independent and eliminating the need for extra executables.
All popular browser information such as passwords, cookies, history, and credit card details, cryptocurrency wallets, files according to regex strings provided by the TA, Telegram credentials for Windows versions, file transfer application information (WINSCP, FTP, FileZilla), and mailing application information are among the data that Vidar attempts to steal from infected machines.
Vidar's victimology is made up of private individuals, streamers, and social influencers from all over the world. Manufacturing enterprises and financial institutions are targeted in some situations, usually in spam campaigns.
Vidar's usage of Mastodon, a popular open-source social media network, to gain dynamic configuration and C2 connectivity is what makes this campaign unique. The threat actors create Mastodon accounts and then put the IP of the stealer's C2 to their profile's description section.
The goal is to secure communications from the compromised machine to the configuration source, and because Mastodon is a trusted platform, security tools shouldn't red flag it. At the same time, Mastodon is a relatively unmoderated space, making it unlikely that these malicious profiles will be discovered, reported, and removed. According to Cyberint researchers that uncovered this campaign, each C2 they saw included between 500 and 1,500 separate campaign IDs, indicating Vidar's widespread deployment.
In preparation for data exfiltration, Vidar Stealer stores all acquired data in a working directory with a random 25-character name, including credentials from a variety of chat, email, FTP, and web-browsing applications, as well as cryptocurrency wallets, a desktop screenshot, and details of the system configuration.
