The Vidar Trojan is a dangerous weapon used against computer users worldwide. It infects mainly via software and service vulnerability exploits. Our article gives an overview of its behavior according to the collected samples and available reports, also it may be helpful in attempting to remove the virus.
|Short Description||The Vidar Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Software Vulnerabilities, Freeware Installations, Bundled Packages, Scripts and others.|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Vidar Trojan.|
Vidar Trojan – Distribution Methods
The Vidar Trojan is being distribute in a large-scale attack campaign targeting computer victims from all around the world. What is particularly dangerous about it is that it is distributed alongside some of the latest GandCrab ransomware releases.
Most of the infections are caused by exploits done against two popular targets — Internet Explorer and Adobe Flash Player by means of the Fallout Exploit Kit. The criminals can use both email phishing campaigns and redirects enticing the targets into interacting with the elements that lead to the infections.
Other possible distribution tactics can include any of the following:
- Malware Sites — The criminals can create malicious web sites that use similar sounding domain names and security certificates to legitimate services, sites and companies in an attempt to make the targets into believing that they have accessed a real and safe site. Interaction with any of the elements contained within will lead to the Vidar Trojan installation.
- Infected Documents — The hackers can craft documents containing malicious scripts and macros to documents of all types: presentations, spreadsheets, text documents and databases. They are made by embedding the scripts which will create a notification prompt when the files are opened. Its contents will request that the macros are run in order to “correctly view” the file. This will trigger the Vidar Trojan infection.
- File Sharing Networks — The Trojan files and all associated payload carriers can be spread on networks like BitTorrent where both legitimate and pirate content is distributed.
- Malware Web Browser Plugins — These plugins, alternatively known as hijackers, are usually found on the respective repositories of the most popular web browsers. They are popularly installed due to promises of greater enhancements or the additions of new features and often make stolen or hacker-made developer credentials and user reviews. Most of them when installed will change the default settings in order to redirect the victims to a hacker-controlled landing page.
According to the available information the first infections with Vidar happened back in October 2018.
Vidar Trojan – Detailed Description
The Vidar Trojan is written in the C++ language and appears to be entirely made by the hacker or criminal collective behind its distribution. The fact that it is written in this language allows it to be ported to most popular platforms and operating systems without any difficulty. A code analysis shows that it is very closely related to another threat known as Arkei which includes a whole collection of dangerous modules.
One of the distinct characteristics of the Vidar Trojan is that it includes a whitelist of allowed hosts which is based on the regional settings and location checks. The malware analysis shows that this behavior is one of the first to be launched. When installed the Trojan will check if the necessary machine is configured according to the allowed list, the infections that detect any country or regional setting outside of the allowed zone will automatically stop. A set of the captured samples were found to target the following аreas: Russia, Belarus, Uzbekistan, Kazakhstan, Azerbaijan.
Following the installation an unique machine ID which is generated for each infected host. It is made by using an algorithm that retrieves the hardware profile of the host along with the unique identification ID (UUID) given to the computer during the Microsoft Windows operating system installation. The acquired information has been confirmed to include the following strings: display language, keyboard languages, local time, time zone, CPU Count, RAM memory size, video card details and network interface.
The main Vidar Trojan code is launched afterwards which stores its information in memory which makes it significantly harder to detect and analyze the made infections.
Following its deployment on the target machines a hacker connection to the hacker-controlled servers will be established. This allows the criminals to carry out complex information stealing activities. The following options are available:
- Choice of Data Type — Cookies, AutoFill, Stored Passwords, Browser Data, Individual File Type Extensions
- Choice of Source — FTP software credentials (FileZilla and WinSCP), Web Browsers, Steam, Skype, Telegram, Specific Folders and System Locations
- Additional Information — Screenshots, Grabbers, Current Data and Time
- Collection Options — Max File Size Selection, Identification and Acquisition of cryptocurrency miners, specific data search
We have found that the malware creates its own folders for organization purposes, the following ones have been identified:
Master folder, Auto-fill files, Credit cards, cookies, downloaded history from web browsers, profile configuration files, browser history, two-factor authentication software, Telegram messages, wallets, screenshots, passwords and computer setup information
Several different components used by legitimate processes are being used during: The Freebl Library for the NSS (part of the Mozilla Browser), the Mozilla Browser Library and the Visual C++ Runtime 2015. They are part of the virus package and are deleted afterwards.
The in-depth analysis of the threat shows that most of the popular software that are is downloaded and used by end users is affected:
- Web Browsers — 360 Browser, Amigo, BlackHawk, Cent Browsers, Chedot Browser, Chromium, CocCoc, Comodo Dragon, Cyberfox, Elements Browser, Epica Privacy, Google Chrome, IceCat, Internet Explorer, K-Meleon, Kometa, Maxthon5, Microsot Edge, Mozilla Firefox, Mustang Browser, Nichrome, Opera, Orbitum, Pale Moon, QIP Surf, QQ Browser, Sputnik, Suhba Browser, Tor Browser, Torch, URAN, Vivaldi and Waterfox.
- Messengers and Email Clients — Bat!, Pidgin, Telegram and Thunderbird
- Cryptocurrency Wallets — Anoncoin, BBQCoin, Bitcoin, DashCore, DevCoin, DigitalCoin, Electron Cash, ElectrumLTC, Ethereum, Exodus, FlorinCoin, FrancoCoin, JAXX, Litecoin, MultiDoge, TerraCoin, YACoin and ZCash.
The information grabber code is able to hook up to existing processes, cause unexpected conditions and read the Windows Registry and data found in the applications data. A list of the accessed repositories is the following:
%ALL_DRIVES%, %APPDATA%, %C%, %D%, %DESKTOP%, %DOCUMENTS%, %DRIVE_FIXED%, %DRIVE_REMOVABLE%, %LOCALAPPDATA%, %USERPROFILE%
A payload carrier module is also available which can issue a random file name to be assigned to a threat that is to be downloaded from a remote host and executed. When it has completed running the main Vidar Trojan engine may choose to either halt its process or delete it altogether from the system.
When the infections have completed running the hacker-controlled server will be contacted once again to report of the made changes. The information gathering component and all other modules can transmit the following data: Hardware ID, OS name and version, bit type, profile ID, Name of the victim account, number of acquired payment card details, number of stolen wallets, number of files stores, Telegram data and the current version of the Vidar Trojan.
It appears that the Vidar Trojan allows the criminal controllers to set up a command control server. It allows them to interact with the compromised hosts in real-time and carry out all possible malicious actions. When logged in to the panel the hackers have the ability to build new releases, set up the appropriate configuration and to view the current conditions. The panel displays the current number of victims and the “account balance”. This means that the operators may have leased access via the hacker underground markets. This deployment method is taken from the RaaS scheme used by ransomware viruses. Potential hackers pay the developers a certain fee to access the Vidar Trojan panel for a set period of time — weekly or monthly, depending on the offering. This subscription-based access also guarantees that the attackers will always have access to the latest version of the Trojan code.
Every single host will feature log file details and the ability to store notes on them. All extracted passwords are also placed in a separate tab which makes it very convenient to access the acquired credentials.
As it appears the Vidar Trojan is an extremely potent and capable malware which should be removed once active infections have been identified. This can be very difficult because the engine can penetrate the defenses of the operating system. It is reccomended that such infections are removed by professional-grade anti-spyware solutions which guarantee a full system clean-up.
Remove Vidar Trojan Trojan
If your computer system got infected with the Vidar Trojan Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Note! Your computer system may be affected by Vidar Trojan and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of Vidar Trojan.
To remove Vidar Trojan follow these steps:
Use SpyHunter to scan for malware and unwanted programs
- Guide 1: How to Remove Vidar Trojan from Windows.
- Guide 2: Get rid of Vidar Trojan on Mac OS X.
- Guide 3: Remove Vidar Trojan in Google Chrome.
- Guide 4: Erase Vidar Trojan from Mozilla Firefox.
- Guide 5: Uninstall Vidar Trojan from Microsoft Edge.
- Guide 6: Remove Vidar Trojan from Safari.
- Guide 7: Eliminate Vidar Trojan from Internet Explorer.
- Guide 8: Disable Vidar Trojan Push Notifications in Your Browsers.
How to Remove Vidar Trojan from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove Vidar Trojan
Step 2: Uninstall Vidar Trojan and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by Vidar Trojan on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by Vidar Trojan there. This can happen by following the steps underneath:
Get rid of Vidar Trojan from Mac OS X.
Step 1: Uninstall Vidar Trojan and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Vidar Trojan via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove Vidar Trojan files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as Vidar Trojan, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove Vidar Trojan from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase Vidar Trojan from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall Vidar Trojan from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove Vidar Trojan from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Vidar Trojan will be removed.
Eliminate Vidar Trojan from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
Remove Push Notifications caused by Vidar Trojan from Your Browsers.
Turn Off Push Notifications from Google Chrome
To disable any Push Notices from Google Chrome browser, please follow the steps below:
Step 1: Go to Settings in Chrome.
Step 2: In Settings, select “Advanced Settings”:
Step 3: Click “Content Settings”:
Step 4: Open “Notifications”:
Step 5: Click the three dots and choose Block, Edit or Remove options:
Remove Push Notifications on Firefox
Step 1: Go to Firefox Options.
Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":
Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”
Stop Push Notifications on Opera
Step 1: In Opera, press ALT+P to go to Settings
Step 2: In Setting search, type “Content” to go to Content Settings.
Step 3: Open Notifications:
Step 4: Do the same as you did with Google Chrome (explained below):
Eliminate Push Notifications on Safari
Step 1: Open Safari Preferences.
Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".