Den Vidar Trojan er et farligt våben brugt mod computerbrugere over hele verden. Det inficerer hovedsageligt via software og service-sårbarhed udnytter. Vores artikel giver et overblik over sin adfærd i overensstemmelse med de indsamlede prøver og tilgængelige rapporter, også det kan være nyttigt i forsøget på at fjerne virus.
|Kort beskrivelse||The Vidar Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptomer||Ofrene kan ikke opleve nogen synlige symptomer på infektion.|
|Distributionsmetode||Software Sårbarheder, Freeware installationer, Bundtede pakker, Scripts og andre.|
|Værktøj Detection|| See If Your System Has Been Affected by Vidar Trojan |
Værktøj til fjernelse af malware
|Brugererfaring||Tilmeld dig vores forum to Discuss Vidar Trojan.|
Vidar Trojan – Distribution Methods
The Vidar Trojan is being distribute in a large-scale attack campaign targeting computer victims from all around the world. What is particularly dangerous about it is that it is distributed alongside some of the latest GandCrab ransomware releases.
Most of the infections are caused by exploits done against two popular targets — Internet Explorer og Adobe Flash Player by means of the Fallout Exploit Kit. The criminals can use both e-mail phishing kampagner og omdirigeringer enticing the targets into interacting with the elements that lead to the infections.
Other possible distribution tactics can include any of the following:
- Malware steder — The criminals can create malicious web sites that use similar sounding domain names and security certificates to legitimate services, sites and companies in an attempt to make the targets into believing that they have accessed a real and safe site. Interaction with any of the elements contained within will lead to the Vidar Trojan installation.
- inficerede dokumenter — The hackers can craft documents containing malicious scripts and macros to documents of all types: præsentationer, regneark, tekstdokumenter og databaser. They are made by embedding the scripts which will create a notification prompt when the files are opened. Its contents will request that the macros are run in order to “korrekt se” filen. This will trigger the Vidar Trojan infection.
- Fildeling Networks — The Trojan files and all associated payload carriers can be spread on networks like BitTorrent where both legitimate and pirate content is distributed.
- Malware Web Browser Plugins — These plugins, alternativt kendt som flykaprere, are usually found on the respective repositories of the most popular web browsers. They are popularly installed due to promises of greater enhancements or the additions of new features and often make stolen or hacker-made developer credentials and user reviews. Most of them when installed will change the default settings in order to redirect the victims to a hacker-controlled landing page.
According to the available information the first infections with Vidar happened back in October 2018.
Vidar Trojan – Detailed Description
The Vidar Trojan is written in the C++ language and appears to be entirely made by the hacker or criminal collective behind its distribution. The fact that it is written in this language allows it to be ported to most popular platforms and operating systems without any difficulty. A code analysis shows that it is very closely related to another threat known as Arkei which includes a whole collection of dangerous modules.
One of the distinct characteristics of the Vidar Trojan is that it includes a whitelist of allowed hosts which is based on the regional settings and location checks. The malware analysis shows that this behavior is one of the first to be launched. When installed the Trojan will check if the necessary machine is configured according to the allowed list, the infections that detect any country or regional setting outside of the allowed zone will automatically stop. A set of the captured samples were found to target the following аreas: Rusland, Hviderusland, Usbekistan, Kasakhstan, Aserbajdsjan.
Following the installation an unique machine ID which is generated for each infected host. It is made by using an algorithm that retrieves the hardware profile of the host along with the unique identification ID (UUID) given to the computer during the Microsoft Windows operating system installation. The acquired information has been confirmed to include the following strings: display language, keyboard languages, local time, tidszone, CPU Count, RAM memory size, video card details and network interface.
The main Vidar Trojan code is launched afterwards which stores its information in memory which makes it significantly harder to detect and analyze the made infections.
Following its deployment on the target machines a hacker connection to the hacker-controlled servers will be established. This allows the criminals to carry out complex information stealing activities. The following options are available:
- Choice of Data Type — Cookies, AutoFill, gemte adgangskoder, Browser data, Individual File Type Extensions
- Choice of Source — FTP software credentials (FileZilla and WinSCP), webbrowsere, Damp, Skype, Telegram, Specific Folders and System Locations
- Yderligere Information — Screenshots, Grabbers, Current Data and Time
- Collection Options — Max File Size Selection, Identification and Acquisition of cryptocurrency miners, specific data search
We have found that the malware creates its own folders for organization purposes, the following ones have been identified:
Master folder, Auto-fill files, Credit cards, cookies, downloaded history from web browsers, profile configuration files, browserhistorik, two-factor authentication software, Telegram messages, tegnebøger, skærmbilleder, passwords and computer setup information
Several different components used by legitimate processes are being used during: The Freebl Library for the NSS (part of the Mozilla Browser), the Mozilla Browser Library and the Visual C++ Runtime 2015. They are part of the virus package and are deleted afterwards.
The in-depth analysis of the threat shows that most of the popular software that are is downloaded and used by end users is affected:
- webbrowsere - 360 Browser, Amigo, BlackHawk, Cent Browsers, Chedot Browser, Chrom, CocCoc, Comodo Drage, Cyberfox, Elements Browser, Epica Privacy, Google Chrome, IceCat, Internet Explorer, K-Meleon, Kometa, Maxthon5, Microsot Edge, Mozilla Firefox, Mustang Browser, Nichrome, Opera, Orbitum, Pale Moon, QIP Surf, QQ Browser, Sputnik, Suhba Browser, Tor Browser, Torch, URAN, Vivaldi and Waterfox.
- Messengers and Email Clients — Bat!, Pidgin, Telegram and Thunderbird
- Cryptocurrency Wallets — Anoncoin, BBQCoin, Bitcoin, DashCore, DevCoin, DigitalCoin, Electron Cash, ElectrumLTC, Ethereum, Exodus, FlorinCoin, FrancoCoin, JAXX, Litecoin, MultiDoge, TerraCoin, YACoin and ZCash.
The information grabber code is able to hook up to existing processes, cause unexpected conditions and read the Windows Registry and data found in the applications data. A list of the accessed repositories is the following:
%ALL_DRIVES%, %APP DATA%, %C%, %D%, %DESKTOP%, %DOCUMENTS%, %DRIVE_FIXED%, %DRIVE_REMOVABLE%, %LOCALAPPDATA%, %USERPROFILE%
A payload carrier module is also available which can issue a random file name to be assigned to a threat that is to be downloaded from a remote host and executed. When it has completed running the main Vidar Trojan engine may choose to either halt its process or delete it altogether from the system.
When the infections have completed running the hacker-controlled server will be contacted once again to report of the made changes. The information gathering component and all other modules can transmit the following data: Hardware ID, OS name and version, bit type, profile ID, Name of the victim account, number of acquired payment card details, number of stolen wallets, number of files stores, Telegram data and the current version of the Vidar Trojan.
It appears that the Vidar Trojan allows the criminal controllers to set up a command control server. It allows them to interact with the compromised hosts in real-time and carry out all possible malicious actions. When logged in to the panel the hackers have the ability to build new releases, set up the appropriate configuration and to view the current conditions. The panel displays the current number of victims and the “account balance”. This means that the operators may have leased access via the hacker underground markets. This deployment method is taken from the Raas scheme used by ransomware viruses. Potential hackers pay the developers a certain fee to access the Vidar Trojan panel for a set period of time — weekly or monthly, depending on the offering. This subscription-based access also guarantees that the attackers will always have access to the latest version of the Trojan code.
Every single host will feature log file details and the ability to store notes on them. All extracted passwords are also placed in a separate tab which makes it very convenient to access the acquired credentials.
As it appears the Vidar Trojan is an extremely potent and capable malware which should be removed once active infections have been identified. This can be very difficult because the engine can penetrate the defenses of the operating system. It is reccomended that such infections are removed by professional-grade anti-spyware solutions which guarantee a full system clean-up.
Remove Vidar Trojan Trojan
Hvis din computer-system fik inficeret med Vidar Trojan Trojan, du skal have lidt erfaring med at fjerne malware. Du bør slippe af med denne trojanske så hurtigt som muligt, før det kan få mulighed for at sprede sig yderligere og inficere andre computere. Du bør fjerne den trojanske og følg trin-for-trin instruktioner guide leveres nedenfor.
Note! Dit computersystem kan blive påvirket af Vidar Trojan og andre trusler.
Scan din pc med SpyHunter
SpyHunter er en kraftfuld malware fjernelse værktøj designet til at hjælpe brugerne med dybdegående systemets sikkerhed analyse, detektering og fjernelse af Vidar Trojan.
Husk, at SpyHunter scanner er kun for malware afsløring. Hvis SpyHunter registrerer malware på din pc, du bliver nødt til at købe SpyHunter har malware fjernelse værktøj til at fjerne malware trusler. Læs vores SpyHunter 5 bedømmelse. Klik på de tilsvarende links til at kontrollere SpyHunter s EULA, Fortrolighedspolitik og Kriterier trusselsvurdering.