Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vidar. Show all posts
Vidar
cyber attack Cyber Security Data Theft Vidar

New Vidar Variant Uses API Hooking to Steal Data Before Encryption

 

A recent investigation by Aryaka Threat Research Labs has revealed a new version of the Vidar infostealer that demonstrates how cybercriminals are refining existing malware to make it more discreet and effective. Vidar, which has circulated for years through malware-as-a-service platforms, is known for its modular structure that allows operators to customize attacks easily. 

The latest strain introduces a significant upgrade: the ability to intercept sensitive information directly through API hooking. 

This method lets the malware capture credentials, authentication tokens, and encryption keys from Windows systems at the precise moment they are accessed by legitimate applications, before they are encrypted or secured. 

By hooking into cryptographic functions such as CryptProtectMemory, Vidar injects its own code into running processes to momentarily divert execution and extract unprotected data before resuming normal operations. 

This process enables it to gather plaintext credentials silently from memory, avoiding noisy file activity that would typically trigger detection. Once harvested, the stolen data which includes browser passwords, cookies, payment information, cryptocurrency wallets, and two-factor tokens is compressed and sent through encrypted network channels that mimic legitimate internet traffic. 

The malware also maintains persistence by using scheduled tasks, PowerShell loaders, and randomized installation paths, while employing in-memory execution to reduce forensic traces. 

These refinements make it harder for traditional antivirus or behavioral tools to identify its presence. The evolution of Vidar highlights the need for defenders to rethink detection strategies that depend solely on file signatures or activity volume. 

Security teams are encouraged to implement Zero Trust principles, monitor API calls for evidence of hooking, and apply runtime integrity checks to detect tampering within active processes. Using endpoint detection and response tools that analyze process behavior and adopting memory-safe programming practices can further strengthen protection. 

Experts warn that Vidar’s development may continue toward more advanced capabilities, including kernel-level hooking, fileless operations, and AI-based targeting that prioritizes valuable data depending on the victim’s environment. 

The findings reflect a broader shift in cybercrime tactics, where minor technical improvements have a major impact on stealth and efficiency. Defending against such threats requires a multi-layered security approach that focuses on process integrity, vigilant monitoring, and consistent patch management.
Read more »
Vidar
data security Hackers Illegal Sites malware Private Loader Ransomware RedLine Smokeloader spying Spyware Vidar

Pay to Play PrivateLoader Disseminates Smokeloader, Redline &Vidar malware

 

An investigation at a pay-per-install loader has revealed its role in the distribution of famous malware variants including Smokeloader and Vidar. 

Intel 471 issued a report on PrivateLoader on Tuesday, analyzing cyberattacks that have used the loader since May 2021. The pay-per-install (PPI) malware service has been around for a time, but it's unclear who is responsible for its creation. Additional payloads are deployed on a target machine using loaders. 

PrivateLoader is a variation that is supplied to criminal customers on an installation basis, with payment based on the number of victims captured. PrivateLoader is managed by a collection of command-and-control (C2) servers and an AdminLTE 3-based administrator panel. 

Adding new users, configuring the loader to install a payload, picking target regions and nations, setting up payload download links, encryption, and selecting browser extensions for infecting target devices are all available through the front-end panel. 

The loader is mainly distributed through websites that sell pirated software. Cracked copies of popular software, which are occasionally included with key generators, are illegal versions of software that have been modified to avoid licencing or payment. On websites, download buttons for cracked software are included with JavaScript, which releases the payload in a.ZIP archive. 

The package contained a malicious executable, according to the cybersecurity firm's findings. A false GCleaner load reseller, PrivateLoader, and Redline are among the malware that is triggered by .exe file. 

Since at least May 2021, the PrivateLoader module has been used to run Smokeloader, Redline, and Vidar. Smokeloader is the most well-known of these malware families. Smokeloader is a distinct loader that can also be utilized for data theft and reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware that can steal data from a variety of data types, including passwords, documents, and digital wallet details. 

A distribution link for Smokeloader also signals a possible connection to the Qbot banking Trojan. The Kronos banking Trojan and the Dridex botnet have both been disseminated using PrivateLoader bots. 

Although PrivateLoader isn't particularly linked to the distribution of ransomware, a loader associated with it, known as Discoloader, has been used in assaults aimed at spreading the malware. 

The researchers stated, "PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them with a wide array of options to easily achieve their goals. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader."
Read more »
Subscribe to: Comments (Atom)