The Vidar Trojan is a dangerous weapon used against computer users worldwide. It infects mainly via software and service vulnerability exploits. Our article gives an overview of its behavior according to the collected samples and available reports, also it may be helpful in attempting to remove the virus.
|Short Description||The Vidar Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Software Vulnerabilities, Freeware Installations, Bundled Packages, Scripts and others.|
|Detection Tool|| See If Your System Has Been Affected by Vidar Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Vidar Trojan.|
Vidar Trojan – Distribution Methods
The Vidar Trojan is being distribute in a large-scale attack campaign targeting computer victims from all around the world. What is particularly dangerous about it is that it is distributed alongside some of the latest GandCrab ransomware releases.
Most of the infections are caused by exploits done against two popular targets — Internet Explorer and Adobe Flash Player by means of the Fallout Exploit Kit. The criminals can use both email phishing campaigns and redirects enticing the targets into interacting with the elements that lead to the infections.
Other possible distribution tactics can include any of the following:
- Malware Sites — The criminals can create malicious web sites that use similar sounding domain names and security certificates to legitimate services, sites and companies in an attempt to make the targets into believing that they have accessed a real and safe site. Interaction with any of the elements contained within will lead to the Vidar Trojan installation.
- Infected Documents — The hackers can craft documents containing malicious scripts and macros to documents of all types: presentations, spreadsheets, text documents and databases. They are made by embedding the scripts which will create a notification prompt when the files are opened. Its contents will request that the macros are run in order to “correctly view” the file. This will trigger the Vidar Trojan infection.
- File Sharing Networks — The Trojan files and all associated payload carriers can be spread on networks like BitTorrent where both legitimate and pirate content is distributed.
- Malware Web Browser Plugins — These plugins, alternatively known as hijackers, are usually found on the respective repositories of the most popular web browsers. They are popularly installed due to promises of greater enhancements or the additions of new features and often make stolen or hacker-made developer credentials and user reviews. Most of them when installed will change the default settings in order to redirect the victims to a hacker-controlled landing page.
According to the available information the first infections with Vidar happened back in October 2018.
Vidar Trojan – Detailed Description
The Vidar Trojan is written in the C++ language and appears to be entirely made by the hacker or criminal collective behind its distribution. The fact that it is written in this language allows it to be ported to most popular platforms and operating systems without any difficulty. A code analysis shows that it is very closely related to another threat known as Arkei which includes a whole collection of dangerous modules.
One of the distinct characteristics of the Vidar Trojan is that it includes a whitelist of allowed hosts which is based on the regional settings and location checks. The malware analysis shows that this behavior is one of the first to be launched. When installed the Trojan will check if the necessary machine is configured according to the allowed list, the infections that detect any country or regional setting outside of the allowed zone will automatically stop. A set of the captured samples were found to target the following аreas: Russia, Belarus, Uzbekistan, Kazakhstan, Azerbaijan.
Following the installation an unique machine ID which is generated for each infected host. It is made by using an algorithm that retrieves the hardware profile of the host along with the unique identification ID (UUID) given to the computer during the Microsoft Windows operating system installation. The acquired information has been confirmed to include the following strings: display language, keyboard languages, local time, time zone, CPU Count, RAM memory size, video card details and network interface.
The main Vidar Trojan code is launched afterwards which stores its information in memory which makes it significantly harder to detect and analyze the made infections.
Following its deployment on the target machines a hacker connection to the hacker-controlled servers will be established. This allows the criminals to carry out complex information stealing activities. The following options are available:
- Choice of Data Type — Cookies, AutoFill, Stored Passwords, Browser Data, Individual File Type Extensions
- Choice of Source — FTP software credentials (FileZilla and WinSCP), Web Browsers, Steam, Skype, Telegram, Specific Folders and System Locations
- Additional Information — Screenshots, Grabbers, Current Data and Time
- Collection Options — Max File Size Selection, Identification and Acquisition of cryptocurrency miners, specific data search
We have found that the malware creates its own folders for organization purposes, the following ones have been identified:
Master folder, Auto-fill files, Credit cards, cookies, downloaded history from web browsers, profile configuration files, browser history, two-factor authentication software, Telegram messages, wallets, screenshots, passwords and computer setup information
Several different components used by legitimate processes are being used during: The Freebl Library for the NSS (part of the Mozilla Browser), the Mozilla Browser Library and the Visual C++ Runtime 2015. They are part of the virus package and are deleted afterwards.
The in-depth analysis of the threat shows that most of the popular software that are is downloaded and used by end users is affected:
- Web Browsers — 360 Browser, Amigo, BlackHawk, Cent Browsers, Chedot Browser, Chromium, CocCoc, Comodo Dragon, Cyberfox, Elements Browser, Epica Privacy, Google Chrome, IceCat, Internet Explorer, K-Meleon, Kometa, Maxthon5, Microsot Edge, Mozilla Firefox, Mustang Browser, Nichrome, Opera, Orbitum, Pale Moon, QIP Surf, QQ Browser, Sputnik, Suhba Browser, Tor Browser, Torch, URAN, Vivaldi and Waterfox.
- Messengers and Email Clients — Bat!, Pidgin, Telegram and Thunderbird
- Cryptocurrency Wallets — Anoncoin, BBQCoin, Bitcoin, DashCore, DevCoin, DigitalCoin, Electron Cash, ElectrumLTC, Ethereum, Exodus, FlorinCoin, FrancoCoin, JAXX, Litecoin, MultiDoge, TerraCoin, YACoin and ZCash.
The information grabber code is able to hook up to existing processes, cause unexpected conditions and read the Windows Registry and data found in the applications data. A list of the accessed repositories is the following:
%ALL_DRIVES%, %APPDATA%, %C%, %D%, %DESKTOP%, %DOCUMENTS%, %DRIVE_FIXED%, %DRIVE_REMOVABLE%, %LOCALAPPDATA%, %USERPROFILE%
A payload carrier module is also available which can issue a random file name to be assigned to a threat that is to be downloaded from a remote host and executed. When it has completed running the main Vidar Trojan engine may choose to either halt its process or delete it altogether from the system.
When the infections have completed running the hacker-controlled server will be contacted once again to report of the made changes. The information gathering component and all other modules can transmit the following data: Hardware ID, OS name and version, bit type, profile ID, Name of the victim account, number of acquired payment card details, number of stolen wallets, number of files stores, Telegram data and the current version of the Vidar Trojan.
It appears that the Vidar Trojan allows the criminal controllers to set up a command control server. It allows them to interact with the compromised hosts in real-time and carry out all possible malicious actions. When logged in to the panel the hackers have the ability to build new releases, set up the appropriate configuration and to view the current conditions. The panel displays the current number of victims and the “account balance”. This means that the operators may have leased access via the hacker underground markets. This deployment method is taken from the RaaS scheme used by ransomware viruses. Potential hackers pay the developers a certain fee to access the Vidar Trojan panel for a set period of time — weekly or monthly, depending on the offering. This subscription-based access also guarantees that the attackers will always have access to the latest version of the Trojan code.
Every single host will feature log file details and the ability to store notes on them. All extracted passwords are also placed in a separate tab which makes it very convenient to access the acquired credentials.
As it appears the Vidar Trojan is an extremely potent and capable malware which should be removed once active infections have been identified. This can be very difficult because the engine can penetrate the defenses of the operating system. It is reccomended that such infections are removed by professional-grade anti-spyware solutions which guarantee a full system clean-up.
Remove Vidar Trojan Trojan
If your computer system got infected with the Vidar Trojan Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Note! Your computer system may be affected by Vidar Trojan and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of Vidar Trojan.