Der Vidar Trojan ist eine gefährliche Waffe gegen Computer-Nutzer weltweit im Einsatz. Er infiziert vor allem über Software- und Service-Exploits für Sicherheitslücken. Unser Artikel gibt einen Überblick über sein Verhalten nach den gesammelten Proben und verfügbaren Berichte, Auch kann es hilfreich sein bei dem Versuch, den Virus zu entfernen.
|kurze Beschreibung||The Vidar Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptome||Die Opfer dürfen keine offensichtlichen Symptome einer Infektion auftreten.|
|Verteilungsmethode||Software-Schwachstellen, Freeware-Installationen, gebündelte Pakete, Skripte und andere.|
|Detection Tool|| See If Your System Has Been Affected by Vidar Trojan |
Malware Removal Tool
|Benutzererfahrung||Abonnieren Sie unseren Forum to Discuss Vidar Trojan.|
Vidar Trojan – Distribution Methods
The Vidar Trojan is being distribute in a large-scale attack campaign targeting computer victims from all around the world. What is particularly dangerous about it is that it is distributed alongside some of the latest GandCrab ransomware releases.
Most of the infections are caused by exploits done against two popular targets — Internet Explorer und Adobe Flash Player by means of the Fallout Exploit Kit. The criminals can use both E-Mail-Phishing-Kampagnen und Weiterleitungen enticing the targets into interacting with the elements that lead to the infections.
Other possible distribution tactics can include any of the following:
- Malware-Sites — The criminals can create malicious web sites that use similar sounding domain names and security certificates to legitimate services, sites and companies in an attempt to make the targets into believing that they have accessed a real and safe site. Interaction with any of the elements contained within will lead to the Vidar Trojan installation.
- infizierte Dokumente — The hackers can craft documents containing malicious scripts and macros to documents of all types: Präsentationen, Tabellen, Textdokumente und Datenbanken. They are made by embedding the scripts which will create a notification prompt when the files are opened. Its contents will request that the macros are run in order to “korrekt anzeigen” die Datei. This will trigger the Vidar Trojan infection.
- File Sharing Networks — The Trojan files and all associated payload carriers can be spread on networks like BitTorrent where both legitimate and pirate content is distributed.
- Malware Web Browser Plugins — These plugins, alternativ als Entführer bekannt, are usually found on the respective repositories of the most popular web browsers. They are popularly installed due to promises of greater enhancements or the additions of new features and often make stolen or hacker-made developer credentials and user reviews. Most of them when installed will change the default settings in order to redirect the victims to a hacker-controlled landing page.
According to the available information the first infections with Vidar happened back in October 2018.
Vidar Trojan – Detailed Description
The Vidar Trojan is written in the C++ language and appears to be entirely made by the hacker or criminal collective behind its distribution. The fact that it is written in this language allows it to be ported to most popular platforms and operating systems without any difficulty. A code analysis shows that it is very closely related to another threat known as Arkei which includes a whole collection of dangerous modules.
One of the distinct characteristics of the Vidar Trojan is that it includes a whitelist of allowed hosts which is based on the regional settings and location checks. The malware analysis shows that this behavior is one of the first to be launched. When installed the Trojan will check if the necessary machine is configured according to the allowed list, the infections that detect any country or regional setting outside of the allowed zone will automatically stop. A set of the captured samples were found to target the following аreas: Russland, Weißrussland, Usbekistan, Kasachstan, Aserbaidschan.
Following the installation an unique machine ID which is generated for each infected host. It is made by using an algorithm that retrieves the hardware profile of the host along with the unique identification ID (UUID) given to the computer during the Microsoft Windows operating system installation. The acquired information has been confirmed to include the following strings: display language, keyboard languages, local time, Zeitzone, CPU Count, RAM memory size, video card details and network interface.
The main Vidar Trojan code is launched afterwards which stores its information in memory which makes it significantly harder to detect and analyze the made infections.
Following its deployment on the target machines a hacker connection to the hacker-controlled servers will be established. This allows the criminals to carry out complex information stealing activities. The following options are available:
- Choice of Data Type — Cookies, AutoFill, gespeicherte Passwörter, Browser Daten, Individual File Type Extensions
- Choice of Source — FTP software credentials (FileZilla and WinSCP), Internetbrowser, Dampf, Skype, Telegramm, Specific Folders and System Locations
- zusätzliche Information — Screenshots, Grabbers, Current Data and Time
- Collection Options — Max File Size Selection, Identification and Acquisition of cryptocurrency miners, specific data search
We have found that the malware creates its own folders for organization purposes, the following ones have been identified:
Master folder, Auto-fill files, Credit cards, Kekse, downloaded history from web browsers, profile configuration files, Browser-History, two-factor authentication software, Telegram messages, Geldbörsen, Screenshots, passwords and computer setup information
Several different components used by legitimate processes are being used during: The Freebl Library for the NSS (part of the Mozilla Browser), the Mozilla Browser Library and the Visual C++ Runtime 2015. They are part of the virus package and are deleted afterwards.
The in-depth analysis of the threat shows that most of the popular software that are is downloaded and used by end users is affected:
- Internetbrowser - 360 Browser, Amigo, BlackHawk, Cent Browsers, Chedot Browser, Chrom, CocCoc, Comodo Dragon, Cyberfox, Elements Browser, Epica Privacy, Google Chrome, IceCat, Internet Explorer, K-Meleon, Kometa, Maxthon5, Microsot Rand, Mozilla Firefox, Mustang Browser, Nichrome, Oper, Orbitum, Blasser Mond, QIP Surf, QQ Browser, Sputnik, Suhba Browser, Tor-Browser, Torch, URAN, Vivaldi and Waterfox.
- Messengers and Email Clients — Bat!, Pidgin, Telegram and Thunderbird
- Cryptocurrency Wallets — Anoncoin, BBQCoin, Bitcoin, DashCore, DevCoin, DigitalCoin, Electron Cash, ElectrumLTC, Astraleum, Exodus, FlorinCoin, FrancoCoin, JAXX, Litecoin, MultiDoge, TerraCoin, YACoin and ZCash.
The information grabber code is able to hook up to existing processes, cause unexpected conditions and read the Windows Registry and data found in the applications data. A list of the accessed repositories is the following:
%ALL_DRIVES%, %ANWENDUNGSDATEN%, %C%, %D%, %DESKTOP%, %DOCUMENTS%, %DRIVE_FIXED%, %DRIVE_REMOVABLE%, %LOCALAPPDATA%, %USERPROFILE%
A payload carrier module is also available which can issue a random file name to be assigned to a threat that is to be downloaded from a remote host and executed. When it has completed running the main Vidar Trojan engine may choose to either halt its process or delete it altogether from the system.
When the infections have completed running the hacker-controlled server will be contacted once again to report of the made changes. The information gathering component and all other modules can transmit the following data: Hardware ID, OS name and version, bit type, profile ID, Name of the victim account, number of acquired payment card details, number of stolen wallets, number of files stores, Telegram data and the current version of the Vidar Trojan.
It appears that the Vidar Trojan allows the criminal controllers to set up a command control server. It allows them to interact with the compromised hosts in real-time and carry out all possible malicious actions. When logged in to the panel the hackers have the ability to build new releases, set up the appropriate configuration and to view the current conditions. The panel displays the current number of victims and the “account balance”. This means that the operators may have leased access via the hacker underground markets. This deployment method is taken from the RAAS scheme used by ransomware viruses. Potential hackers pay the developers a certain fee to access the Vidar Trojan panel for a set period of time — weekly or monthly, depending on the offering. This subscription-based access also guarantees that the attackers will always have access to the latest version of the Trojan code.
Every single host will feature log file details and the ability to store notes on them. All extracted passwords are also placed in a separate tab which makes it very convenient to access the acquired credentials.
As it appears the Vidar Trojan is an extremely potent and capable malware which should be removed once active infections have been identified. This can be very difficult because the engine can penetrate the defenses of the operating system. It is reccomended that such infections are removed by professional-grade anti-spyware solutions which guarantee a full system clean-up.
Remove Vidar Trojan Trojan
Wenn Ihr Computersystem wurde mit dem infizierten Vidar Trojan Trojan, Sie sollten Malware beim Entfernen ein wenig Erfahrung haben. Sie sollten so schnell wie möglich loswerden diesen Trojaner erhalten, bevor es die Chance, weiter zu verbreiten haben kann und andere Computer zu infizieren. Sie sollten die Trojaner entfernen und die Schritt-für-Schritt-Anleitung Anleitung folgen unten angegeben.
Notiz! Ihr Computersystem kann durch folgende Faktoren beeinträchtigt werden Vidar Trojan und anderen Bedrohungen.
Scannen Sie Ihren PC mit SpyHunter
SpyHunter ist ein leistungsstarkes Malware Removal Tool Benutzer entwickelt, um mit fundierter Systemsicherheitsanalyse, Erkennung und Entfernung von Vidar Trojan.
Denken Sie daran,, dass SpyHunter Scanner ist nur für Malware-Erkennung. Wenn SpyHunter erkennt Malware auf Ihrem PC, Sie kaufen müssen, um Malware Removal Tool SpyHunter die Malware-Bedrohungen entfernen. Lesen unsere SpyHunter 5 Kritik. Klicken Sie auf die entsprechenden Links SpyHunter überprüfen EULA, Datenschutz-Bestimmungen und Threat Assessment Criteria.